role serivce-nginx: improve inital ACME certificate creation

This commit is contained in:
Julian Labus 2018-09-09 10:18:39 +02:00
parent b7d6bdea39
commit 37596e917d
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
4 changed files with 50 additions and 9 deletions

View file

@ -0,0 +1,4 @@
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-dss AAAAB3NzaC1kc3MAAACBAJS26DIY2QfUOrGMr5Tnlds7jVLQPEvgtOVRmz+6Y576XjrtDL24R+J5ow2NFY0jJbo3ib11a38qflqx8u7ZVXIi23EzhgszQPte3q44EMHIlw5HfvfN3qYXXn33pPiLWPmr8bNwUK4EyGoNctNSrWOhwf/vZn0MIroPwJtIpfbLAAAAFQCrUtRkboJy0Tpn06ph77Nf0mkYNQAAAIEAiGjBSFBSGtZjARlHl6dT6HADMkuCT2dW4bh7JxRyJke4nglWzTPT84XZ/4KjiLcYPKROFdxdLSkFQt0b9Ef5KMGUa9QNPs8M89Zcrpyrz6O31KXaSbHaiV3Uimx9N2RNg4++7d+AWXNTivV/jPT+FPSKf9PLX5PebYpR97+/UVsAAACAahkxs6SS97ntBBmxGT0VSFiV8U8dBHlgKy2Jj3NjP3e4OwHOmqcD8LsvBS+IGdki/2uSUpd2fprV/4R1djkjMvlw/iP0VZyad0gKIikqHK1mtLduzjJXgVHtU+CdsfGuoVh/3EXhKyyZJAwpNjqbjLbEZu9MwcAIDq9m8Hgol1I=
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMCbZJJZsYR3fHhRFJyPYbbRf/VvbUoKYBjpQTSpaCZG2Tl5pvNIwVbyDF/dcCRtamIeFAxWMVVc0wJj9gQnnog=
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJMqFRautch/VPTUpG7vJvt8M05vI4+qq6zWFiji9C2o
zuckerwatte.ffmwu.org,89.163.245.179,2001:4ba0:fffc:3d:0:b4dc:4b1e:2 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAXcRPe0d4JLfm67086fGMxBEeS1wi/sVpCB5rcR9tPNKGKZ/rL/DvP6Juqch+5xC6zG5uMGRLJhW3SLTLQuQ3ru7lvJxJYxBPpokO0hAde3JMZx4xV0p4Flw0WGWql2TkPYzWSGP62FaFH77BnpMVVBVXaoVVqKqPFgb8YzYFcEFPIpw8HOnKLhCBJmQzaWeLFu/HbasvdUYPGXvh+8VYc9KXcbQPfLtwlejI0iCYlJTGFv29WVUabceoskeMipljwQ/oNIk8mpSKKD0MGRw96sWByG2uHxJZtlAELHNoSw6uowpU02xJNPW8LF3ip07k6pV33Q/Y/9NGyDw4Yk0X

View file

@ -1,8 +1,8 @@
--- ---
- name: reload nginx - name: restart nginx
systemd: systemd:
name: nginx name: nginx
state: reloaded state: restarted
- name: restart cron - name: restart cron
systemd: systemd:

View file

@ -20,6 +20,17 @@
name: nginx name: nginx
state: present state: present
- name: install ssl-cert packages
package:
name: ssl-cert
state: present
- name: Add remote server to known_hosts
known_hosts:
path: /etc/ssh/ssh_known_hosts
name: zuckerwatte.ffmwu.org
key: "{{ lookup('file', 'known_hosts') }}"
- name: create cronjob to sync ssl certs - name: create cronjob to sync ssl certs
template: template:
src: ssl_certs.cron.j2 src: ssl_certs.cron.j2
@ -39,11 +50,36 @@
- name: create certs directory - name: create certs directory
file: file:
path: /etc/nginx/ssl path: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}
state: directory state: directory
mode: 0755 mode: 0550
owner: root owner: www-data
group: root group: admin
- name: create snakeoil cert
shell: make-ssl-cert generate-default-snakeoil
args:
creates: /etc/ssl/certs/ssl-cert-snakeoil.pem
- name: copy snakeoil ssl key for first start
copy:
src: /etc/ssl/private/ssl-cert-snakeoil.key
dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem
remote_src: yes
force: no
owner: www-data
group: admin
mode: 0440
- name: copy snakeoil ssl cert for first start
copy:
src: /etc/ssl/certs/ssl-cert-snakeoil.pem
dest: /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem
remote_src: yes
force: no
owner: www-data
group: admin
mode: 0440
- name: sync ssl certs - name: sync ssl certs
shell: /etc/cron.daily/ssl_certs shell: /etc/cron.daily/ssl_certs
@ -55,6 +91,7 @@
mode: 0644 mode: 0644
owner: root owner: root
group: root group: root
notify: restart nginx
- name: write nginx configuration nginx.conf - name: write nginx configuration nginx.conf
template: template:
@ -63,14 +100,14 @@
mode: 0644 mode: 0644
owner: root owner: root
group: root group: root
notify: reload nginx notify: restart nginx
- name: write nginx configuration default.conf - name: write nginx configuration default.conf
template: template:
src: default.conf.j2 src: default.conf.j2
dest: /etc/nginx/conf.d/default.conf dest: /etc/nginx/conf.d/default.conf
mode: 0644 mode: 0644
notify: reload nginx notify: restart nginx
- name: manage html directory for static files - name: manage html directory for static files
file: file:

View file

@ -1,5 +1,5 @@
location ^~ /.well-known/acme-challenge/ { location ^~ /.well-known/acme-challenge/ {
resolver 127.0.0.1; resolver 9.9.9.9;
set $acme_host {{ acme_server }}.{{ http_domain_internal }}; set $acme_host {{ acme_server }}.{{ http_domain_internal }};
proxy_pass https://$acme_host:443; proxy_pass https://$acme_host:443;
} }