Role service-nginx: add tasks to forward ACME HTTP requests and fetch certificates

This commit is contained in:
Julian Labus 2018-06-15 09:04:33 +02:00
parent 2e09e29d2b
commit 43b9bc4407
No known key found for this signature in database
GPG key ID: 8AF209F2C6B3572A
6 changed files with 92 additions and 0 deletions

View file

@ -10,4 +10,5 @@ Diese Ansible role installiert und konfiguriert den Web Server nginx.
## Benötigte Variablen
- Variable `acme_server`
- Variable `inventory_hostname_short`

View file

@ -3,3 +3,8 @@
systemd:
name: nginx
state: reloaded
- name: restart cron
systemd:
name: cron
state: restarted

View file

@ -20,6 +20,42 @@
name: nginx
state: present
- name: create cronjob to sync ssl certs
template:
src: ssl_certs.cron.j2
dest: /etc/cron.daily/ssl_certs
mode: 0755
owner: root
group: root
notify: reload cron
- name: create config snippets directory
file:
path: /etc/nginx/snippets
state: directory
mode: 0755
owner: root
group: root
- name: create certs directory
file:
path: /etc/nginx/ssl
state: directory
mode: 0755
owner: root
group: root
- name: sync ssl certs
shell: /etc/cron.daily/ssl_certs
- name: write nginx configuration letsencrypt-acme-challenge.conf
template:
src: letsencrypt-acme-challenge.conf.j2
dest: /etc/nginx/snippets/letsencrypt-acme-challenge.conf
mode: 0644
owner: root
group: root
- name: write nginx configuration nginx.conf
template:
src: nginx.conf.j2

View file

@ -6,6 +6,29 @@ server {
charset utf-8;
server_tokens off;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
root /var/www/html;
location / {
index index.html;
autoindex on;
autoindex_exact_size off;
}
}
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
charset utf-8;
server_tokens off;
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
root /var/www/html;
location / {
index index.html;

View file

@ -0,0 +1,7 @@
location ^~ /.well-known/acme-challenge/ {
proxy_pass https://{{ acme_server }}.{{ http_domain_internal }}:443;
}
location = /.well-known/acme-challenge/ {
return 404;
}

View file

@ -0,0 +1,20 @@
#!/bin/sh
DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}"
LOCAL_DIR="/etc/nginx/ssl"
for DOMAIN in $DOMAINS;
do
#Get Certs
rsync --delete -rz -e 'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
#Fix Permissions
chmod 0550 $LOCAL_DIR/$DOMAIN
chmod 0440 $LOCAL_DIR/$DOMAIN/*
done
#Fix owners
chown -R www-data:admin $LOCAL_DIR
#restart
systemctl reload nginx.service