LILiK
/
lilik_playbook
5
0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

more generic certbot

python3
Andrea Cimbalo 8 years ago
parent
4de58737b6
commit
f426c9cd3a
23 changed files with 103 additions and 148 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +0
    -1
      login.yaml
  2. +2
    -0
      roles/certbot/defaults/main.yaml
  3. +8
    -8
      roles/certbot/tasks/main.yaml
  4. +1
    -0
      roles/dokuwiki/meta/main.yaml
  5. +0
    -7
      roles/dokuwiki/templates/dokuwiki.conf.nginx.j2
  6. +0
    -36
      roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO
  7. +2
    -1
      roles/icinga2/meta/main.yaml
  8. +2
    -7
      roles/icinga2/templates/icinga2.conf.nginx.j2
  9. +2
    -1
      roles/login/meta/main.yaml
  10. +0
    -27
      roles/login/templates/login.conf.nginx.j2
  11. +1
    -1
      roles/nginx/defaults/main.yml
  12. +3
    -0
      roles/nginx/meta/main.yaml
  13. +23
    -18
      roles/nginx/tasks/main.yaml
  14. +11
    -16
      roles/nginx/templates/base.j2
  15. +11
    -0
      roles/nginx/templates/proxy.conf.nginx.j2
  16. +1
    -0
      roles/reverse_proxy/templates/http.j2
  17. +2
    -0
      roles/roundcube/meta/main.yaml
  18. +0
    -4
      roles/roundcube/templates/roundcube.conf.nginx.j2
  19. +2
    -0
      roles/sympa/meta/main.yaml
  20. +1
    -9
      roles/sympa/templates/sympa.conf.nginx.j2
  21. +3
    -1
      roles/wordpress/meta/main.yaml
  22. +0
    -11
      roles/wordpress/templates/wordpress.apache2.j2
  23. +28
    -0
      roles/wordpress/templates/wordpress.conf.nginx.j2

+ 0
- 1
login.yaml View File

@ -13,4 +13,3 @@
- role: login - role: login
- role: reverse_proxy - role: reverse_proxy
hostname: login3 hostname: login3
- role: certbot

+ 2
- 0
roles/certbot/defaults/main.yaml View File

@ -0,0 +1,2 @@
---
webserver_name: nginx

+ 8
- 8
roles/certbot/tasks/main.yaml View File

@ -10,13 +10,13 @@
- cron - cron
- name: request certificate - name: request certificate
command: certbot certonly -a standalone --preferred-challenges http -d login3.lilik.it -n
command: certbot certonly -a standalone --agree-tos --email roots@lists.lilik.it --preferred-challenges http -d {{ server_fqdn }} -d www.{{ server_fqdn }} -n
args: args:
creates: /etc/letsencrypt/live/login3.lilik.it/cert.pem
creates: /etc/letsencrypt/live/{{ server_fqdn }}/cert.pem
- name: add certbot cron
cron:
name: "certbot cron"
minute: "30"
hour: "2"
job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload nginx"'
# - name: add certbot cron
# cron:
# name: "certbot cron"
# minute: "30"
# hour: "2"
# job: '/usr/bin/certbot renew -n --renew-hook "/bin/systemctl reload {{ webserver_name }}"'

+ 1
- 0
roles/dokuwiki/meta/main.yaml View File

@ -2,4 +2,5 @@
dependencies: dependencies:
- role: nginx - role: nginx
php: true php: true
config_name: "dokuwiki"
parent_role_path: "dokuwiki" parent_role_path: "dokuwiki"

+ 0
- 7
roles/dokuwiki/templates/dokuwiki.conf.nginx.j2 View File

@ -1,9 +1,3 @@
server {
listen 80;
client_max_body_size 4M;
client_body_buffer_size 128k;
root /usr/share/dokuwiki; root /usr/share/dokuwiki;
index doku.php; index doku.php;
@ -24,4 +18,3 @@ server {
fastcgi_param REDIRECT_STATUS 200; fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
} }
}

+ 0
- 36
roles/dokuwiki/templates/dokuwiki.conf.nginx.j2.TODO View File

@ -1,36 +0,0 @@
server {
listen 80;
listen [::]:80;
server_name wiki.domain.example;
return 301 https://$server_name$request_uri;
}
server {
listen [::]:443 ssl;
listen 443 ssl;
client_max_body_size 4M;
client_body_buffer_size 128k;
root /usr/share/dokuwiki;
index doku.php;
location ~ /(data/|conf/|bin/|inc/|install.php) { deny all; }
location / { try_files $uri $uri/ @dokuwiki; }
location @dokuwiki {
rewrite ^/_media/(.*) /lib/exe/fetch.php?media=$1 last;
rewrite ^/_detail/(.*) /lib/exe/detail.php?media=$1 last;
rewrite ^/_export/([^/]+)/(.*) /doku.php?do=export_$1&id=$2 last;
rewrite ^/(.*) /doku.php?id=$1&$args last;
}
location ~ \.php$ {
try_files $uri $uri/ /doku.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param REDIRECT_STATUS 200;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
}

+ 2
- 1
roles/icinga2/meta/main.yaml View File

@ -2,5 +2,6 @@ dependencies:
- role: nginx - role: nginx
php: true php: true
parent_role_path: "icinga2" parent_role_path: "icinga2"
config_names: "icinga2"
config_name: "icinga2"
server_fqdn: "status.lilik.it"
- role: postgresql - role: postgresql

+ 2
- 7
roles/icinga2/templates/icinga2.conf.nginx.j2 View File

@ -1,10 +1,6 @@
server {
listen 80;
location = / {
return 301 http://$host/icingaweb2;
location / {
rewrite ^/$ /icingaweb2 permanent;
} }
location ~ ^/icingaweb2/index\.php(.*)$ { location ~ ^/icingaweb2/index\.php(.*)$ {
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock; fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
fastcgi_index index.php; fastcgi_index index.php;
@ -18,4 +14,3 @@ server {
alias /usr/share/icingaweb2/public; alias /usr/share/icingaweb2/public;
try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args; try_files $1 $uri $uri/ /icingaweb2/index.php$is_args$args;
} }
}

+ 2
- 1
roles/login/meta/main.yaml View File

@ -4,4 +4,5 @@ dependencies:
is_proxy: true is_proxy: true
config_name: "login" config_name: "login"
remote_host: "http://localhost:5000" remote_host: "http://localhost:5000"
server_name: "login.lilik.it"
server_fqdn: "login3.lilik.it"
parent_role_path: "login"

+ 0
- 27
roles/login/templates/login.conf.nginx.j2 View File

@ -1,28 +1 @@
server {
listen *:80;
server_name login.lilik.it;
client_max_body_size 0;
location / {
rewrite ^/$ /static/index.html permanent; rewrite ^/$ /static/index.html permanent;
proxy_http_version 1.1;
proxy_set_header Host projects.leader.lilik.it;
proxy_set_header X-Forwarded-Host "";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_pass http://localhost:5000;
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
}
}

+ 1
- 1
roles/nginx/defaults/main.yml View File

@ -1,4 +1,4 @@
--- ---
is_proxy: false is_proxy: false
php: false php: false
config_names: []
config_name: null

+ 3
- 0
roles/nginx/meta/main.yaml View File

@ -0,0 +1,3 @@
---
dependencies:
- role: certbot

+ 23
- 18
roles/nginx/tasks/main.yaml View File

@ -34,31 +34,36 @@
notify: notify:
- restart nginx - restart nginx
- name: upload nginx proxy configuration
- name: upload nginx configuration
template: template:
src: proxy_nginx.j2
dest: "/etc/nginx/sites-available/{{ config_name }}.conf"
when: is_proxy | bool
src: base.j2
dest: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf"
notify: notify:
- restart nginx - restart nginx
- name: add nginx configurations
template:
src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
dest: /etc/nginx/sites-available/{{ item }}.conf
with_items: "{{ config_names }}"
notify:
- restart nginx
# - name: add nginx configurations
# template:
# src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
# dest: /etc/nginx/sites-available/{{ item }}.conf
# with_items: "{{ config_names }}"
# notify:
# - restart nginx
- name: add proxy to config_names
set_fact:
config_names: "{{ config_names | union( [config_name])}}"
when: is_proxy | bool
# - name: add proxy to config_names
# set_fact:
# config_names: "{{ config_names | union( [config_name])}}"
# when: is_proxy | bool
- name: create Diffie Hellman exchange parameters
command: openssl dhparam -out /etc/nginx/dhparam.pem 2048
args:
creates: /etc/nginx/dhparam.pem
notify: restart nginx
- name: enable nginx configurations - name: enable nginx configurations
file: file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
src: "/etc/nginx/sites-available/{{ config_name|default('proxy') }}.conf"
dest: "/etc/nginx/sites-enabled/{{ config_name|default('proxy') }}.conf"
state: link state: link
with_items: "{{ config_names }}"
# with_items: "{{ config_names }}"
notify: restart nginx notify: restart nginx

roles/nginx/templates/proxy_nginx.j2 → roles/nginx/templates/base.j2 View File


+ 11
- 0
roles/nginx/templates/proxy.conf.nginx.j2 View File

@ -0,0 +1,11 @@
location / {
client_max_body_size 50M;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Frame-Options SAMEORIGIN;
proxy_pass {{ remote_host }};
}

+ 1
- 0
roles/reverse_proxy/templates/http.j2 View File

@ -10,6 +10,7 @@ server {
proxy_set_header X-NginX-Proxy true; proxy_set_header X-NginX-Proxy true;
proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }}; proxy_pass http://{{ hostvars[ansible_hostname]['ansible_host'] }};
} }
location / { location / {
if ($request_method = POST) { if ($request_method = POST) {
return 307 https://$server_name$request_uri; return 307 https://$server_name$request_uri;


+ 2
- 0
roles/roundcube/meta/main.yaml View File

@ -2,4 +2,6 @@
dependencies: dependencies:
- role: nginx - role: nginx
php: true php: true
config_name: "roundcube"
server_fqdn: "webmail.lilik.it"
parent_role_path: "roundcube" parent_role_path: "roundcube"

+ 0
- 4
roles/roundcube/templates/roundcube.conf.nginx.j2 View File

@ -1,6 +1,3 @@
server {
listen 80;
# support roundcubemail secure urls # support roundcubemail secure urls
rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1; rewrite "^/[a-zA-Z0-9]{16}/(.*)" /$1;
@ -20,4 +17,3 @@ server {
location ~ /\.ht { location ~ /\.ht {
deny all; deny all;
} }
}

+ 2
- 0
roles/sympa/meta/main.yaml View File

@ -1,6 +1,8 @@
--- ---
dependencies: dependencies:
- role: nginx - role: nginx
config_name: "sympa"
server_fqdn: "lists.lilik.it"
parent_role_path: "sympa" parent_role_path: "sympa"
- role: exim4 - role: exim4
stmp_relay: "{{ hostvars['mail'].ansible_host }}" stmp_relay: "{{ hostvars['mail'].ansible_host }}"


+ 1
- 9
roles/sympa/templates/sympa.conf.nginx.j2 View File

@ -1,12 +1,5 @@
# based on https://gist.github.com/bjacint/7862912
server {
listen 80;
server_name *.*;
# based on https://gist.github.com/bjacint/7862912
root /usr/lib/cgi-bin/sympa; root /usr/lib/cgi-bin/sympa;
access_log /var/log/nginx/sympa.access.log;
error_log /var/log/nginx/sympa.error.log;
error_page 403 500 502 503 504 /50x.html; error_page 403 500 502 503 504 /50x.html;
rewrite ^/$ /wws permanent; rewrite ^/$ /wws permanent;
@ -62,4 +55,3 @@ server {
fastcgi_param HTTP_HOST $http_host; fastcgi_param HTTP_HOST $http_host;
fastcgi_intercept_errors on; fastcgi_intercept_errors on;
} }
}

+ 3
- 1
roles/wordpress/meta/main.yaml View File

@ -1,6 +1,8 @@
--- ---
dependencies: dependencies:
- role: apache2
- role: nginx
php: true php: true
parent_role_path: "wordpress" parent_role_path: "wordpress"
config_name: "wordpress"
server_fqdn: "blog.lilik.it"
- role: mysql - role: mysql

+ 0
- 11
roles/wordpress/templates/wordpress.apache2.j2 View File

@ -1,11 +0,0 @@
<VirtualHost *:80>
ServerName {{ item }}.lilik.it
DocumentRoot /usr/share/wordpress
DirectoryIndex index.php
Alias /wp-content/ "/srv/www/wp-content/{{ item }}.lilik.it/"
<Directory /usr/share/wordpress>
AllowOverride All
Order Deny,Allow
Allow from all
</Directory>
</VirtualHost>

+ 28
- 0
roles/wordpress/templates/wordpress.conf.nginx.j2 View File

@ -0,0 +1,28 @@
root /usr/share/wordpress;
index index.php;
location /wp-content/ {
alias /srv/www/wp-content/$host/;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
}
#deny access to .htaccess files, if Apache's document root
#concurs with nginx's one
location ~ /\.ht {
deny all;
}
location /files {
rewrite ^/files/(.+) /wp-includes/ms-files.php?file=$1 break;
}
location / {
if (-e $request_filename){
rewrite ^(.*)$ /index.php break;
}
}

Write Preview
Loading…
Cancel
Save