crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[nginx] Add feature to manage multiple certificates, for example for crans.org and for adm.crans.org 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-02-18 15:49:10 +01:00 committed by ynerant
parent 96d5f945e3
commit 72238d79ed
10 changed files with 83 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/mailman.yml
View File

@ -9,7 +9,7 @@ loc_nginx:
servers:
- server_name:
- lists.crans.org
ssl: true
ssl: crans.org
root: "/usr/lib/cgi-bin/mailman/"
index:
- index.htm

12
group_vars/nginx.yml
View File

@ -4,11 +4,14 @@ glob_nginx:
who: "L'équipe technique du Cr@ns"
service_name: service
ssl:
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
# Add adm.crans.org if necessary
- name: crans.org
cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers:
- ssl: false
- ssl: false # Replace by crans.org or adm.crans.org
default: true
server_name:
- "default"
- "_"
@ -21,4 +24,5 @@ glob_nginx:
auth_passwd: []
default_server:
default_ssl_server:
default_ssl_domain: crans.org
deploy_robots_file: false

46
host_vars/charybde.adm.crans.org.yml
View File

@ -37,26 +37,26 @@ to_backup:
loc_nginx:
service_name: ftp
servers:
server_name:
- "ftp"
- "ftp.*"
- "mirror"
- "mirror.*"
- "archive.ubuntu.com"
- "fr.archive.ubuntu.com"
- "security.ubuntu.com"
- "ftps"
- "ftps.*"
root: "/pubftp"
locations:
- filter: "/"
- params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- filter: "/pub/events/"
params:
- "mp4"
- "mp4_buffer_size 1m"
- "mp4_max_buffer_size 5m"
- server_name:
- "ftp"
- "ftp.*"
- "mirror"
- "mirror.*"
- "archive.ubuntu.com"
- "fr.archive.ubuntu.com"
- "security.ubuntu.com"
- "ftps"
- "ftps.*"
root: "/pubftp"
locations:
- filter: "/"
params:
- "autoindex on"
- "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html"
- "add_after_body /.html/FOOTER.html"
- filter: "/pub/events/"
params:
- "mp4"
- "mp4_buffer_size 1m"
- "mp4_max_buffer_size 5m"

10
host_vars/irc.adm.crans.org.yml
View File

@ -4,7 +4,12 @@ interfaces:
srv: ens19
loc_certbot:
domains: "irc.crans.org"
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "irc.crans.org"
loc_nginx:
service_name: "thelounge"
@ -12,7 +17,8 @@ loc_nginx:
- server_name:
- "irc.crans.org"
- "irc"
ssl: true
default: true
ssl: crans.org
locations:
- filter: "^~ /web/"
params:

2
plays/irc.yml
View File

@ -2,7 +2,7 @@
---
- hosts: irc
vars:
certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
thelounge: '{{ glob_thelounge | default({}) | combine(loc_thelounge | default({})) }}'
roles:

4
plays/mailman.yml
View File

@ -8,6 +8,10 @@
default_url: "https://lists.crans.org/"
default_host: "lists.crans.org"
default_language: "fr"
custom_logo: "crans_icon_dark.svg"
custom_logo_name: "crans.svg"
custom_logo_url: "https://www.crans.org/"
custom_logo_alt: "CRANS"
spamassassin: "SpamAssassin_crans"
smtphost: "smtp.adm.crans.org"
mynetworks: ['138.231.0.0/16', '185.230.76.0/22', '2a0c:700:0::/40']

30
roles/nginx/tasks/main.yml
View File

@ -7,16 +7,22 @@
retries: 3
until: apt_result is succeeded
- name: Copy snippets
- name: Copy proxypass snippets
template:
src: "nginx/snippets/{{ item }}.j2"
dest: "/etc/nginx/snippets/{{ item }}"
src: "nginx/snippets/options-proxypass.conf.j2"
dest: "/etc/nginx/snippets/options-proxypass.conf"
owner: root
group: root
mode: 0644
loop:
- options-ssl.conf
- options-proxypass.conf
- name: Copy SSL snippets
template:
src: "nginx/snippets/options-ssl.conf.j2"
dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
owner: root
group: root
mode: 0644
loop: "{{ nginx.ssl }}"
- name: Copy dhparam
template:
@ -98,12 +104,6 @@
group: www-data
mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755
- name: Install passwords
when: nginx.auth_passwd|length > 0
template:
@ -119,3 +119,9 @@
owner: www-data
group: www-data
mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755

42
roles/nginx/templates/nginx/sites-available/service.j2
View File

@ -19,7 +19,7 @@ upstream {{ upstream.name }} {
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf";
include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
server_name _;
charset utf-8;
@ -55,8 +55,8 @@ server {
{% if server.ssl is defined and server.ssl -%}
# Redirect HTTP to HTTPS
server {
listen 80;
listen [::]:80;
listen 80{% if server.default is defined and server.default %} default_server{% endif %};
listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
server_name {{ server.server_name|join(" ") }};
charset utf-8;
@ -72,9 +72,9 @@ server {
server {
{% if server.ssl is defined and server.ssl -%}
listen 443 ssl;
listen [::]:443 ssl;
include "/etc/nginx/snippets/options-ssl.conf";
listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%}
listen 80 default;
listen [::]:80 default;
@ -86,29 +86,21 @@ server {
# Hide Nginx version
server_tokens off;
{% if server.root is defined -%}
root {{ server.root }};
{% endif -%}
{% if server.index is defined -%}
index {{ server.index|join(" ") }};
{% endif -%}
{% if server.root is defined %}root {{ server.root }};{% endif %}
{% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
{% if server.access_log is defined -%}
access_log {{ server.access_log }};
{% endif -%}
{% if server.error_log is defined -%}
error_log {{ server.error_log }};
{% endif -%}
{% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
{% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
{% if server.locations is defined -%}
{% for location in server.locations -%}
{% if server.locations is defined %}
{% for location in server.locations %}
location {{ location.filter }} {
{% for param in location.params -%}
{% for param in location.params %}
{{ param }};
{% endfor -%}
{% endfor %}
}
{% endfor -%}
{% endif -%}
{% endfor %}
{% endif %}
}
{% endfor %}

6
roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
View File

@ -1,7 +1,7 @@
{{ ansible_header | comment }}
ssl_certificate {{ nginx.ssl.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }};
ssl_certificate {{ item.cert }};
ssl_certificate_key {{ item.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
ssl_trusted_certificate {{ item.trusted_cert }};

3
roles/nginx/templates/update-motd.d/10-service.j2
View File

@ -1,3 +0,0 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.