Compare commits

...

12 Commits

Author SHA1 Message Date
  Zolfa 6e9fc282cf add chaining intermediat in target crt 8 years ago
  Lorenzo 1b76775fc8 boolean filter instead of True comparison 8 years ago
  Lorenzo d5edc93549 nginx daemon settings: suggestion from @edoput 8 years ago
  Lorenzo 6d332231c6 disable broken server configuration files 8 years ago
  Lorenzo 293d502ade now is possible to define acme dir with letsencrypt_acme_dir var 8 years ago
  Lorenzo 944314dc5d default for le_pause 8 years ago
  Lorenzo bdf0a90396 bug-fix: handle empty config_files` 8 years ago
  Lorenzo 1427fe3069 pause before remote-testing server 8 years ago
  Lorenzo 37c875a18c bug fixes: nginx.conf is updated, typo in defaults corrected 8 years ago
  Lorenzo 530c1b2ebb various bug and typos fixes 8 years ago
  Lorenzo 775b463295 change php requirement to php-fpm deb package - fix bug introduced with 8 years ago
  Lorenzo 94dc5d0f10 a first attempt to merge lilik nginx role with functionalities from Ginsys.nginx and to include letsencrypt automation tasks - must not break functionality of other roles using previous lilik nginx role 8 years ago
7 changed files with 245 additions and 6 deletions
Split View
  1. +31
    -3
      roles/nginx/defaults/main.yml
  2. +55
    -0
      roles/nginx/tasks/letsencrypt.yaml
  3. +89
    -3
      roles/nginx/tasks/main.yaml
  4. +9
    -0
      roles/nginx/tasks/store_challenge.yaml
  5. +27
    -0
      roles/nginx/templates/nginx.conf.j2
  6. +28
    -0
      roles/nginx/templates/site.j2
  7. +6
    -0
      roles/nginx/vars/main.yaml

+ 31
- 3
roles/nginx/defaults/main.yml View File

@ -1,4 +1,32 @@
---
is_proxy: false
php: false
config_names: []
is_proxy: false
php: false
config_names: []
letsencrypt: false
nginx_max_clients: 512
nginx_http_params:
sendfile: "on"
tcp_nopush: "on"
tcp_nodelay: "on"
keepalive_timeout: "65"
nginx_log_dir: "/var/log/nginx"
nginx_access_log_name: "access.log"
nginx_error_log_name: "error.log"
nginx_separate_logs_per_site: False
letsencrypt_pause: false
letsencrypt_account_key: "/etc/ssl/private/letsencrypt.key.pem"
letsencrypt_intermediate_url: "https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem"
letsencrypt_intermediate_crt: "/etc/ssl/private/intermediatex3.crt"
letsencrypt_challenge_webroot: "/var/www/html"
letsencrypt_ssl_country: "IT"
letsencrypt_ssl_state: "Italy"
letsencrypt_ssl_loc: "Florence"
letsencrypt_ssl_org: "LILiK"
letsencrypt_ssl_email: "letsencrypt@example.com"
nginx_sites:

+ 55
- 0
roles/nginx/tasks/letsencrypt.yaml View File

@ -0,0 +1,55 @@
- name: provision ssl host private key
openssl_privatekey:
path: "{{ item.server.ssl_certificate_key }}"
- name: generate certificate signing request
command: >
openssl req
-new
-sha256
-nodes
-key {{ item.server.ssl_certificate_key }}
-out {{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~".csr") }}
-subj "/C={{ item.letsencrypt.ssl_country | default(letsencrypt_ssl_country)
}}/ST={{ item.letsencrypt.ssl_state | default(letsencrypt_ssl_state)
}}/L={{ item.letsencrypt.ssl_loc | default(letsencrypt_ssl_loc)
}}/O={{ item.letsencrypt.ssl_org | default(letsencrypt_ssl_org)
}}/CN={{ item.letsencrypt.ssl_cn | default(item.server.server_name)
}}/emailAddress={{ item.letsencrypt.ssl_email | default(letsencrypt_ssl_email) }}"
- name: get challenge(s) from letsencrypt server
letsencrypt:
account_key: "{{ letsencrypt_account_key }}"
csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
dest: "{{ item.server.ssl_certificate }}"
acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
register: letsencrypt_challenge
- name: store challenge(s) in local dir
include: store_challenge.yaml
when: letsencrypt_challenge|changed
- pause:
prompt: "LETSENCRYPT REMOTE VERIFICATION REQUIRED!. Perform any action to
make server reachable from outside, then press ENTER to start
verification"
when: letsencrypt_challenge|changed and letsencrypt_pause|bool
- name: get signed certificate(s) from letsencrypt server
letsencrypt:
account_key: "{{ letsencrypt_account_key }}"
csr: "{{ item.letsencrypt.ssl_csr | default(item.server.ssl_certificate~'.csr') }}"
dest: "{{ item.server.ssl_certificate }}"
acme_directory: "{{ letsencrypt_acme_dir | default(omit) }}"
data: "{{ letsencrypt_challenge }}"
notify: restart nginx
- name: download intermediate cert for chaining
get_url:
url: "{{ letsencrypt_intermediate_url }}"
dest: "{{ letsencrypt_intermediate_crt }}"
when: letsencrypt_challenge|changed
- name: chaining intermediate certificate
shell: "cat {{ letsencrypt_intermediate_crt }} >> {{ item.server.ssl_certificate }}"
when: letsencrypt_challenge|changed

+ 89
- 3
roles/nginx/tasks/main.yaml View File

@ -6,6 +6,39 @@
service_packages:
- nginx
- name: install letsencrypt dependencies
apt:
name: "{{ item }}"
state: present
update_cache: yes
cache_valid_time: 3600
with_items: "{{ letsencrypt_requirements }}"
when: letsencrypt|bool
- name: provision directories for site specific configurations
file:
path: /etc/nginx/{{ item }}
state: directory
owner: root
group: root
mode: 0755
with_items:
- "sites-available"
- "sites-enabled"
- name: provision letsencrypt challenge folder
file:
path: "{{ letsencrypt_challenge_webroot }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: 0755
when: letsencrypt|bool
- name: upload nginx configuration
template:
src: nginx.conf.j2
dest: /etc/nginx/nginx.conf
- name: disable nginx default configuration
file:
path: /etc/nginx/sites-enabled/default
@ -33,16 +66,69 @@
- enable nginx configuration
- restart nginx
- name: add nginx configurations
- name: add nginx configuration custom templates
template:
src: "roles/{{ parent_role_path }}/templates/{{ item }}.conf.nginx.j2"
dest: /etc/nginx/sites-available/{{ item }}.conf
dest: "/etc/nginx/sites-available/{{ item }}.conf"
with_items: "{{ config_names }}"
when: config_names is defined and item|bool
- name: enable nginx configurations
- name: enable nginx configuration custom templates
file:
src: "/etc/nginx/sites-available/{{ item }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
state: link
with_items: "{{ config_names }}"
when: config_names is defined and item|bool
notify: restart nginx
- name: generate nginx configurations from standard template
template:
src: site.j2
dest: "/etc/nginx/sites-available/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
when: nginx_sites is defined and nginx_sites
register: nginx_gen_conf
notify: restart nginx
- name: disable ssl configurations with pending cert issuing
file:
path: "/etc/nginx/sites-enabled/{{ item.item.server.file_name }}"
state: absent
with_items: "{{ nginx_gen_conf.results }}"
when:
- item | changed
- item.item.letsencrypt is defined
- name: enable nginx configurations used for letsencrypt challenge
file:
path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
state: link
src: "/etc/nginx/sites-available/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
when: letsencrypt|bool and item.use_for_challenge is defined and item.use_for_challenge|bool and nginx_sites is defined and nginx_sites
- name: restart nginx to start enabled configurations used for letsencrypt
service:
name: nginx
state: restarted
when: letsencrypt|bool
- name: provision letsencrypt account private key
openssl_privatekey:
path: "{{ letsencrypt_account_key }}"
when: letsencrypt|bool
- name: provision ssl cert/key(s) with letsencrypt
include: letsencrypt.yaml
with_items: "{{ nginx_sites }}"
when: letsencrypt|bool and item.letsencrypt is defined and nginx_sites is defined and nginx_sites
- name: enable nginx configuration generated from standard template
file:
path: "/etc/nginx/sites-enabled/{{ item.server.file_name }}"
state: link
src: "/etc/nginx/sites-available/{{ item.server.file_name }}"
with_items: "{{ nginx_sites }}"
when: nginx_sites is defined and nginx_sites
notify: restart nginx

+ 9
- 0
roles/nginx/tasks/store_challenge.yaml View File

@ -0,0 +1,9 @@
- name: copy challenge file inside webroot
copy:
dest: "{{ letsencrypt_challenge_webroot }}/{{ chall.value['http-01']['resource'] }}"
content: "{{ chall.value['http-01']['resource_value'] }}"
with_dict: "{{ letsencrypt_challenge.challenge_data }}"
loop_control:
loop_var: chall

+ 27
- 0
roles/nginx/templates/nginx.conf.j2 View File

@ -0,0 +1,27 @@
# {{ ansible_managed }}
#
user www-data;
pid /var/run/nginx.pid;
events {
worker_connections {{ nginx_max_clients }};
}
http {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
include /etc/nginx/mime.types;
default_type application/octet-stream;
access_log {{ nginx_log_dir }}/{{ nginx_access_log_name }};
error_log {{ nginx_log_dir }}/{{ nginx_error_log_name }};
{% for k,v in nginx_http_params.iteritems() %}
{{ k }} {{ v }};
{% endfor %}
gzip on;
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}

+ 28
- 0
roles/nginx/templates/site.j2 View File

@ -0,0 +1,28 @@
# {{ ansible_managed }}
server {
{% for key,value in item.server|dictsort if key != 'file_name' %}
{{ key }} {{ value }};
{% if nginx_separate_logs_per_site|bool %}
access_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_access_log_name }};
error_log {{ nginx_log_dir }}/{{ item.server.server_name }}-{{ nginx_error_log_name }};
{% endif %}
{% endfor %}
{% if item.use_for_challenge is defined %}
location /.well-known/acme-challenge {
root {{ letsencrypt_challenge_webroot }};
}
{% endif %}
{% if 'location' in item %}
{% for location in item.location if 'location' in item %}
location {{ location.name }} { {% for key,value in location|dictsort if key != 'name' %}
{{ key }} {{ value }}; {% endfor %}
}
{% endfor %}
{% endif %}
}

+ 6
- 0
roles/nginx/vars/main.yaml View File

@ -0,0 +1,6 @@
---
letsencrypt_requirements:
# - python-selinux
- openssl
- python-openssl
- ca-certificates

Loading…
Cancel
Save