diff --git a/roles/service-nginx/README.md b/roles/service-nginx/README.md index c0179d4..8b00cb7 100644 --- a/roles/service-nginx/README.md +++ b/roles/service-nginx/README.md @@ -10,4 +10,5 @@ Diese Ansible role installiert und konfiguriert den Web Server nginx. ## Benötigte Variablen +- Variable `acme_server` - Variable `inventory_hostname_short` diff --git a/roles/service-nginx/handlers/main.yml b/roles/service-nginx/handlers/main.yml index 4e0a6ca..d0c9b9a 100644 --- a/roles/service-nginx/handlers/main.yml +++ b/roles/service-nginx/handlers/main.yml @@ -3,3 +3,8 @@ systemd: name: nginx state: reloaded + +- name: restart cron + systemd: + name: cron + state: restarted diff --git a/roles/service-nginx/tasks/main.yml b/roles/service-nginx/tasks/main.yml index 1fd1d4f..6e56a6f 100644 --- a/roles/service-nginx/tasks/main.yml +++ b/roles/service-nginx/tasks/main.yml @@ -20,6 +20,42 @@ name: nginx state: present +- name: create cronjob to sync ssl certs + template: + src: ssl_certs.cron.j2 + dest: /etc/cron.daily/ssl_certs + mode: 0755 + owner: root + group: root + notify: reload cron + +- name: create config snippets directory + file: + path: /etc/nginx/snippets + state: directory + mode: 0755 + owner: root + group: root + +- name: create certs directory + file: + path: /etc/nginx/ssl + state: directory + mode: 0755 + owner: root + group: root + +- name: sync ssl certs + shell: /etc/cron.daily/ssl_certs + +- name: write nginx configuration letsencrypt-acme-challenge.conf + template: + src: letsencrypt-acme-challenge.conf.j2 + dest: /etc/nginx/snippets/letsencrypt-acme-challenge.conf + mode: 0644 + owner: root + group: root + - name: write nginx configuration nginx.conf template: src: nginx.conf.j2 diff --git a/roles/service-nginx/templates/default.conf.j2 b/roles/service-nginx/templates/default.conf.j2 index e0e4f86..b7f1a6a 100644 --- a/roles/service-nginx/templates/default.conf.j2 +++ b/roles/service-nginx/templates/default.conf.j2 @@ -6,6 +6,29 @@ server { charset utf-8; server_tokens off; + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + + root /var/www/html; + location / { + index index.html; + autoindex on; + autoindex_exact_size off; + } +} + +server { + listen 443 ssl default_server; + listen [::]:443 ssl default_server; + server_name _; + + charset utf-8; + server_tokens off; + + ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem; + ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem; + + include /etc/nginx/snippets/letsencrypt-acme-challenge.conf; + root /var/www/html; location / { index index.html; diff --git a/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 new file mode 100644 index 0000000..e537102 --- /dev/null +++ b/roles/service-nginx/templates/letsencrypt-acme-challenge.conf.j2 @@ -0,0 +1,7 @@ +location ^~ /.well-known/acme-challenge/ { + proxy_pass https://{{ acme_server }}.{{ http_domain_internal }}:443; +} + +location = /.well-known/acme-challenge/ { + return 404; +} diff --git a/roles/service-nginx/templates/ssl_certs.cron.j2 b/roles/service-nginx/templates/ssl_certs.cron.j2 new file mode 100644 index 0000000..a2c97fa --- /dev/null +++ b/roles/service-nginx/templates/ssl_certs.cron.j2 @@ -0,0 +1,20 @@ +#!/bin/sh + +DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}" +LOCAL_DIR="/etc/nginx/ssl" + +for DOMAIN in $DOMAINS; +do + #Get Certs + rsync --delete -rz -e 'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN + + #Fix Permissions + chmod 0550 $LOCAL_DIR/$DOMAIN + chmod 0440 $LOCAL_DIR/$DOMAIN/* +done + +#Fix owners +chown -R www-data:admin $LOCAL_DIR + +#restart +systemctl reload nginx.service