diff --git a/roles/service-nginx/files/known_hosts b/roles/service-nginx/files/known_hosts new file mode 100644 index 0000000..91be244 --- /dev/null +++ b/roles/service-nginx/files/known_hosts @@ -0,0 +1,4 @@ +zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-dss AAAAB3NzaC1kc3MAAACBAJS26DIY2QfUOrGMr5Tnlds7jVLQPEvgtOVRmz+6Y576XjrtDL24R+J5ow2NFY0jJbo3ib11a38qflqx8u7ZVXIi23EzhgszQPte3q44EMHIlw5HfvfN3qYXXn33pPiLWPmr8bNwUK4EyGoNctNSrWOhwf/vZn0MIroPwJtIpfbLAAAAFQCrUtRkboJy0Tpn06ph77Nf0mkYNQAAAIEAiGjBSFBSGtZjARlHl6dT6HADMkuCT2dW4bh7JxRyJke4nglWzTPT84XZ/4KjiLcYPKROFdxdLSkFQt0b9Ef5KMGUa9QNPs8M89Zcrpyrz6O31KXaSbHaiV3Uimx9N2RNg4++7d+AWXNTivV/jPT+FPSKf9PLX5PebYpR97+/UVsAAACAahkxs6SS97ntBBmxGT0VSFiV8U8dBHlgKy2Jj3NjP3e4OwHOmqcD8LsvBS+IGdki/2uSUpd2fprV/4R1djkjMvlw/iP0VZyad0gKIikqHK1mtLduzjJXgVHtU+CdsfGuoVh/3EXhKyyZJAwpNjqbjLbEZu9MwcAIDq9m8Hgol1I= +zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCbZJJZsYR3fHhRFJyPYbbRf/VvbUoKYBjpQTSpaCZG2Tl5pvNIwVbyDF/dcCRtamIeFAxWMVVc0wJj9gQnnog= +zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMqFRautch/VPTUpG7vJvt8M05vI4+qq6zWFiji9C2o +zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXcRPe0d4JLfm67086fGMxBEeS1wi/sVpCB5rcR9tPNKGKZ/rL/DvP6Juqch+5xC6zG5uMGRLJhW3SLTLQuQ3ru7lvJxJYxBPpokO0hAde3JMZx4xV0p4Flw0WGWql2TkPYzWSGP62FaFH77BnpMVVBVXaoVVqKqPFgb8YzYFcEFPIpw8HOnKLhCBJmQzaWeLFu/HbasvdUYPGXvh+8VYc9KXcbQPfLtwlejI0iCYlJTGFv29WVUabceoskeMipljwQ/oNIk8mpSKKD0MGRw96sWByG2uHxJZtlAELHNoSw6uowpU02xJNPW8LF3ip07k6pV33Q/Y/9NGyDw4Yk0X diff --git a/roles/service-nginx/handlers/main.yml b/roles/service-nginx/handlers/main.yml index d0c9b9a..fe30574 100644 --- a/roles/service-nginx/handlers/main.yml +++ b/roles/service-nginx/handlers/main.yml @@ -1,8 +1,8 @@ --- -- name: reload nginx +- name: restart nginx systemd: name: nginx - state: reloaded + state: restarted - name: restart cron systemd: diff --git a/roles/service-nginx/tasks/main.yml b/roles/service-nginx/tasks/main.yml index b58b79d..f498efd 100644 --- a/roles/service-nginx/tasks/main.yml +++ b/roles/service-nginx/tasks/main.yml @@ -20,6 +20,17 @@ name: nginx state: present +- name: install ssl-cert packages + package: + name: ssl-cert + state: present + +- name: Add remote server to known_hosts + known_hosts: + path: /etc/ssh/ssh_known_hosts + name: zuckerwatte.ffmwu.org + key: "{{ lookup('file', 'known_hosts') }}" + - name: create cronjob to sync ssl certs template: src: ssl_certs.cron.j2 @@ -39,11 +50,36 @@ - name: create certs directory file: - path: /etc/nginx/ssl + path: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }} state: directory - mode: 0755 - owner: root - group: root + mode: 0550 + owner: www-data + group: admin + +- name: create snakeoil cert + shell: make-ssl-cert generate-default-snakeoil + args: + creates: /etc/ssl/certs/ssl-cert-snakeoil.pem + +- name: copy snakeoil ssl key for first start + copy: + src: /etc/ssl/private/ssl-cert-snakeoil.key + dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem + remote_src: yes + force: no + owner: www-data + group: admin + mode: 0440 + +- name: copy snakeoil ssl cert for first start + copy: + src: /etc/ssl/certs/ssl-cert-snakeoil.pem + dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem + remote_src: yes + force: no + owner: www-data + group: admin + mode: 0440 - name: sync ssl certs shell: /etc/cron.daily/ssl_certs @@ -55,6 +91,7 @@ mode: 0644 owner: root group: root + notify: restart nginx - name: write nginx configuration nginx.conf template: @@ -63,14 +100,14 @@ mode: 0644 owner: root group: root - notify: reload nginx + notify: restart nginx - name: write nginx configuration default.conf template: src: default.conf.j2 dest: /etc/nginx/conf.d/default.conf mode: 0644 - notify: reload nginx + notify: restart nginx - name: manage html directory for static files file: diff --git a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 index e16e95b..9a4a191 100644 --- a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 +++ b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 @@ -1,5 +1,5 @@ location ^~ /.well-known/acme-challenge/ { - resolver 127.0.0.1; + resolver 9.9.9.9; set $acme_host {{ acme_server }}.{{ http_domain_internal }}; proxy_pass https://$acme_host:443; }