Role service-nginx: add tasks to forward ACME HTTP requests and fetch certificates
This commit is contained in:
parent
2e09e29d2b
commit
43b9bc4407
6 changed files with 92 additions and 0 deletions
|
@ -10,4 +10,5 @@ Diese Ansible role installiert und konfiguriert den Web Server nginx.
|
||||||
|
|
||||||
## Benötigte Variablen
|
## Benötigte Variablen
|
||||||
|
|
||||||
|
- Variable `acme_server`
|
||||||
- Variable `inventory_hostname_short`
|
- Variable `inventory_hostname_short`
|
||||||
|
|
|
@ -3,3 +3,8 @@
|
||||||
systemd:
|
systemd:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: reloaded
|
state: reloaded
|
||||||
|
|
||||||
|
- name: restart cron
|
||||||
|
systemd:
|
||||||
|
name: cron
|
||||||
|
state: restarted
|
||||||
|
|
|
@ -20,6 +20,42 @@
|
||||||
name: nginx
|
name: nginx
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: create cronjob to sync ssl certs
|
||||||
|
template:
|
||||||
|
src: ssl_certs.cron.j2
|
||||||
|
dest: /etc/cron.daily/ssl_certs
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
notify: reload cron
|
||||||
|
|
||||||
|
- name: create config snippets directory
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/snippets
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: create certs directory
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/ssl
|
||||||
|
state: directory
|
||||||
|
mode: 0755
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
|
- name: sync ssl certs
|
||||||
|
shell: /etc/cron.daily/ssl_certs
|
||||||
|
|
||||||
|
- name: write nginx configuration letsencrypt-acme-challenge.conf
|
||||||
|
template:
|
||||||
|
src: letsencrypt-acme-challenge.conf.j2
|
||||||
|
dest: /etc/nginx/snippets/letsencrypt-acme-challenge.conf
|
||||||
|
mode: 0644
|
||||||
|
owner: root
|
||||||
|
group: root
|
||||||
|
|
||||||
- name: write nginx configuration nginx.conf
|
- name: write nginx configuration nginx.conf
|
||||||
template:
|
template:
|
||||||
src: nginx.conf.j2
|
src: nginx.conf.j2
|
||||||
|
|
|
@ -6,6 +6,29 @@ server {
|
||||||
charset utf-8;
|
charset utf-8;
|
||||||
server_tokens off;
|
server_tokens off;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
|
||||||
|
|
||||||
|
root /var/www/html;
|
||||||
|
location / {
|
||||||
|
index index.html;
|
||||||
|
autoindex on;
|
||||||
|
autoindex_exact_size off;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl default_server;
|
||||||
|
listen [::]:443 ssl default_server;
|
||||||
|
server_name _;
|
||||||
|
|
||||||
|
charset utf-8;
|
||||||
|
server_tokens off;
|
||||||
|
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ inventory_hostname_short }}.{{ http_domain_external }}/privkey.pem;
|
||||||
|
|
||||||
|
include /etc/nginx/snippets/letsencrypt-acme-challenge.conf;
|
||||||
|
|
||||||
root /var/www/html;
|
root /var/www/html;
|
||||||
location / {
|
location / {
|
||||||
index index.html;
|
index index.html;
|
||||||
|
|
|
@ -0,0 +1,7 @@
|
||||||
|
location ^~ /.well-known/acme-challenge/ {
|
||||||
|
proxy_pass https://{{ acme_server }}.{{ http_domain_internal }}:443;
|
||||||
|
}
|
||||||
|
|
||||||
|
location = /.well-known/acme-challenge/ {
|
||||||
|
return 404;
|
||||||
|
}
|
20
roles/service-nginx/templates/ssl_certs.cron.j2
Normal file
20
roles/service-nginx/templates/ssl_certs.cron.j2
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
DOMAINS="{{ inventory_hostname_short }}.{{ http_domain_external }}"
|
||||||
|
LOCAL_DIR="/etc/nginx/ssl"
|
||||||
|
|
||||||
|
for DOMAIN in $DOMAINS;
|
||||||
|
do
|
||||||
|
#Get Certs
|
||||||
|
rsync --delete -rz -e 'ssh -i /home/admin/.ssh/id_rsa -p 23' cert@{{ acme_server }}.{{ http_domain_internal }}:$DOMAIN/ $LOCAL_DIR/$DOMAIN
|
||||||
|
|
||||||
|
#Fix Permissions
|
||||||
|
chmod 0550 $LOCAL_DIR/$DOMAIN
|
||||||
|
chmod 0440 $LOCAL_DIR/$DOMAIN/*
|
||||||
|
done
|
||||||
|
|
||||||
|
#Fix owners
|
||||||
|
chown -R www-data:admin $LOCAL_DIR
|
||||||
|
|
||||||
|
#restart
|
||||||
|
systemctl reload nginx.service
|
Loading…
Reference in a new issue