role serivce-nginx: improve inital ACME certificate creation
This commit is contained in:
parent
b7d6bdea39
commit
37596e917d
4 changed files with 50 additions and 9 deletions
4
roles/service-nginx/files/known_hosts
Normal file
4
roles/service-nginx/files/known_hosts
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-dss AAAAB3NzaC1kc3MAAACBAJS26DIY2QfUOrGMr5Tnlds7jVLQPEvgtOVRmz+6Y576XjrtDL24R+J5ow2NFY0jJbo3ib11a38qflqx8u7ZVXIi23EzhgszQPte3q44EMHIlw5HfvfN3qYXXn33pPiLWPmr8bNwUK4EyGoNctNSrWOhwf/vZn0MIroPwJtIpfbLAAAAFQCrUtRkboJy0Tpn06ph77Nf0mkYNQAAAIEAiGjBSFBSGtZjARlHl6dT6HADMkuCT2dW4bh7JxRyJke4nglWzTPT84XZ/4KjiLcYPKROFdxdLSkFQt0b9Ef5KMGUa9QNPs8M89Zcrpyrz6O31KXaSbHaiV3Uimx9N2RNg4++7d+AWXNTivV/jPT+FPSKf9PLX5PebYpR97+/UVsAAACAahkxs6SS97ntBBmxGT0VSFiV8U8dBHlgKy2Jj3NjP3e4OwHOmqcD8LsvBS+IGdki/2uSUpd2fprV/4R1djkjMvlw/iP0VZyad0gKIikqHK1mtLduzjJXgVHtU+CdsfGuoVh/3EXhKyyZJAwpNjqbjLbEZu9MwcAIDq9m8Hgol1I=
|
||||||
|
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCbZJJZsYR3fHhRFJyPYbbRf/VvbUoKYBjpQTSpaCZG2Tl5pvNIwVbyDF/dcCRtamIeFAxWMVVc0wJj9gQnnog=
|
||||||
|
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMqFRautch/VPTUpG7vJvt8M05vI4+qq6zWFiji9C2o
|
||||||
|
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXcRPe0d4JLfm67086fGMxBEeS1wi/sVpCB5rcR9tPNKGKZ/rL/DvP6Juqch+5xC6zG5uMGRLJhW3SLTLQuQ3ru7lvJxJYxBPpokO0hAde3JMZx4xV0p4Flw0WGWql2TkPYzWSGP62FaFH77BnpMVVBVXaoVVqKqPFgb8YzYFcEFPIpw8HOnKLhCBJmQzaWeLFu/HbasvdUYPGXvh+8VYc9KXcbQPfLtwlejI0iCYlJTGFv29WVUabceoskeMipljwQ/oNIk8mpSKKD0MGRw96sWByG2uHxJZtlAELHNoSw6uowpU02xJNPW8LF3ip07k6pV33Q/Y/9NGyDw4Yk0X
|
|
@ -1,8 +1,8 @@
|
||||||
---
|
---
|
||||||
- name: reload nginx
|
- name: restart nginx
|
||||||
systemd:
|
systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: restarted
|
||||||
|
|
||||||
- name: restart cron
|
- name: restart cron
|
||||||
systemd:
|
systemd:
|
||||||
|
|
|
@ -20,6 +20,17 @@
|
||||||
name: nginx
|
name: nginx
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: install ssl-cert packages
|
||||||
|
package:
|
||||||
|
name: ssl-cert
|
||||||
|
state: present
|
||||||
|
|
||||||
|
- name: Add remote server to known_hosts
|
||||||
|
known_hosts:
|
||||||
|
path: /etc/ssh/ssh_known_hosts
|
||||||
|
name: zuckerwatte.ffmwu.org
|
||||||
|
key: "{{ lookup('file', 'known_hosts') }}"
|
||||||
|
|
||||||
- name: create cronjob to sync ssl certs
|
- name: create cronjob to sync ssl certs
|
||||||
template:
|
template:
|
||||||
src: ssl_certs.cron.j2
|
src: ssl_certs.cron.j2
|
||||||
|
@ -39,11 +50,36 @@
|
||||||
|
|
||||||
- name: create certs directory
|
- name: create certs directory
|
||||||
file:
|
file:
|
||||||
path: /etc/nginx/ssl
|
path: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}
|
||||||
state: directory
|
state: directory
|
||||||
mode: 0755
|
mode: 0550
|
||||||
owner: root
|
owner: www-data
|
||||||
group: root
|
group: admin
|
||||||
|
|
||||||
|
- name: create snakeoil cert
|
||||||
|
shell: make-ssl-cert generate-default-snakeoil
|
||||||
|
args:
|
||||||
|
creates: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
|
||||||
|
- name: copy snakeoil ssl key for first start
|
||||||
|
copy:
|
||||||
|
src: /etc/ssl/private/ssl-cert-snakeoil.key
|
||||||
|
dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
|
||||||
|
remote_src: yes
|
||||||
|
force: no
|
||||||
|
owner: www-data
|
||||||
|
group: admin
|
||||||
|
mode: 0440
|
||||||
|
|
||||||
|
- name: copy snakeoil ssl cert for first start
|
||||||
|
copy:
|
||||||
|
src: /etc/ssl/certs/ssl-cert-snakeoil.pem
|
||||||
|
dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem
|
||||||
|
remote_src: yes
|
||||||
|
force: no
|
||||||
|
owner: www-data
|
||||||
|
group: admin
|
||||||
|
mode: 0440
|
||||||
|
|
||||||
- name: sync ssl certs
|
- name: sync ssl certs
|
||||||
shell: /etc/cron.daily/ssl_certs
|
shell: /etc/cron.daily/ssl_certs
|
||||||
|
@ -55,6 +91,7 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
- name: write nginx configuration nginx.conf
|
- name: write nginx configuration nginx.conf
|
||||||
template:
|
template:
|
||||||
|
@ -63,14 +100,14 @@
|
||||||
mode: 0644
|
mode: 0644
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
notify: reload nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: write nginx configuration default.conf
|
- name: write nginx configuration default.conf
|
||||||
template:
|
template:
|
||||||
src: default.conf.j2
|
src: default.conf.j2
|
||||||
dest: /etc/nginx/conf.d/default.conf
|
dest: /etc/nginx/conf.d/default.conf
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: reload nginx
|
notify: restart nginx
|
||||||
|
|
||||||
- name: manage html directory for static files
|
- name: manage html directory for static files
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
location ^~ /.well-known/acme-challenge/ {
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
resolver 127.0.0.1;
|
resolver 9.9.9.9;
|
||||||
set $acme_host {{ acme_server }}.{{ http_domain_internal }};
|
set $acme_host {{ acme_server }}.{{ http_domain_internal }};
|
||||||
proxy_pass https://$acme_host:443;
|
proxy_pass https://$acme_host:443;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue