Role service-nginx: add tasks to forward ACME HTTP requests and fetch certificates

2018-06-15 09:04:33 +02:00 · 2018-06-15 09:04:33 +02:00 · 43b9bc4407
parent 2e09e29d2b
commit 43b9bc4407
6 changed files with 92 additions and 0 deletions
--- a/roles/service-nginx/README.md
+++ b/roles/service-nginx/README.md
@ -10,4 +10,5 @@ Diese Ansible role installiert und konfiguriert den Web Server nginx.

 ## Benötigte Variablen

+- Variable `acme_server`
 - Variable `inventory_hostname_short`
--- a/roles/service-nginx/handlers/main.yml
+++ b/roles/service-nginx/handlers/main.yml
@ -3,3 +3,8 @@
  systemd:
    name: nginx
    state: reloaded
+
+- name: restart cron
+  systemd:
+    name: cron
+    state: restarted
--- a/roles/service-nginx/tasks/main.yml
+++ b/roles/service-nginx/tasks/main.yml
@ -20,6 +20,42 @@
    name: nginx
    state: present

+- name: create cronjob to sync ssl certs
+  template:
+    src: ssl_certs.cron.j2
+    dest: /etc/cron.daily/ssl_certs
+    mode: 0755
+    owner: root
+    group: root
+  notify: reload cron
+
+- name: create config snippets directory
+  file:
+    path: /etc/nginx/snippets
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: create certs directory
+  file:
+    path: /etc/nginx/ssl
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+
+- name: sync ssl certs
+  shell: /etc/cron.daily/ssl_certs
+
+- name: write nginx configuration letsencrypt-acme-challenge.conf
+  template:
+    src: letsencrypt-acme-challenge.conf.j2
+    dest: /etc/nginx/snippets/letsencrypt-acme-challenge.conf
+    mode: 0644
+    owner: root
+    group: root
+
 - name: write nginx configuration nginx.conf
  template:
    src: nginx.conf.j2
--- a/roles/service-nginx/templates/default.conf.j2
+++ b/roles/service-nginx/templates/default.conf.j2
@ -6,6 +6,29 @@ server {
    charset utf-8;
    server_tokens off;

+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
+    root /var/www/html;
+    location / {
+        index index.html;
+        autoindex on;
+        autoindex_exact_size off;
+    }
+}
+
+server {
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    server_name _;
+
+    charset utf-8;
+    server_tokens off;
+
+    ssl_certificate     /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
+
+    include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
+
    root /var/www/html;
    location / {
        index index.html;
--- a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2
+++ b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2
@ -0,0 +1,7 @@
+location ^~ /.well-known/acme-challenge/ {
+    proxy_pass https://{{ acme_server }}.{{ http_domain_internal }}:443;
+}
+
+location = /.well-known/acme-challenge/ {
+    return 404;
+}
--- a/roles/service-nginx/templates/ssl_certs.cron.j2
+++ b/roles/service-nginx/templates/ssl_certs.cron.j2
@ -0,0 +1,20 @@
+#!/bin/sh
+
+DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}"
+LOCAL_DIR="/etc/nginx/ssl"
+
+for DOMAIN in $DOMAINS;
+do
+ #Get Certs
+ rsync --delete -rz -e  'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
+  
+ #Fix Permissions
+ chmod 0550 $LOCAL_DIR/$DOMAIN
+ chmod 0440 $LOCAL_DIR/$DOMAIN/*
+done
+
+#Fix owners
+chown -R www-data:admin $LOCAL_DIR
+
+#restart
+systemctl reload nginx.service