crans
/
ansible
mirror of http://gitlab.adm.crans.org/nounous/ansible.git
19
0
Fork 0
Code Issues Projects Releases Wiki Activity

[nginx] Add feature to manage multiple certificates, for example for crans.org and for adm.crans.org 

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
certbot_on_virtu
Yohann D'ANELLO 2021-02-18 15:49:10 +01:00 committed by ynerant
parent 96d5f945e3
commit 72238d79ed
10 changed files with 83 additions and 74 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
group_vars/mailman.yml
View File

@ -9,7 +9,7 @@ loc_nginx:
servers: servers:
- server_name: - server_name:
- lists.crans.org - lists.crans.org
ssl: true ssl: crans.org
root: "/usr/lib/cgi-bin/mailman/" root: "/usr/lib/cgi-bin/mailman/"
index: index:
- index.htm - index.htm

6
group_vars/nginx.yml
View File

@ -4,11 +4,14 @@ glob_nginx:
who: "L'équipe technique du Cr@ns" who: "L'équipe technique du Cr@ns"
service_name: service service_name: service
ssl: ssl:
# Add adm.crans.org if necessary
- name: crans.org
cert: /etc/letsencrypt/live/crans.org/fullchain.pem cert: /etc/letsencrypt/live/crans.org/fullchain.pem
cert_key: /etc/letsencrypt/live/crans.org/privkey.pem cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers: servers:
- ssl: false - ssl: false # Replace by crans.org or adm.crans.org
default: true
server_name: server_name:
- "default" - "default"
- "_" - "_"
@ -21,4 +24,5 @@ glob_nginx:
auth_passwd: [] auth_passwd: []
default_server: default_server:
default_ssl_server: default_ssl_server:
default_ssl_domain: crans.org
deploy_robots_file: false deploy_robots_file: false

4
host_vars/charybde.adm.crans.org.yml
View File

@ -37,7 +37,7 @@ to_backup:
loc_nginx: loc_nginx:
service_name: ftp service_name: ftp
servers: servers:
server_name: - server_name:
- "ftp" - "ftp"
- "ftp.*" - "ftp.*"
- "mirror" - "mirror"
@ -50,7 +50,7 @@ loc_nginx:
root: "/pubftp" root: "/pubftp"
locations: locations:
- filter: "/" - filter: "/"
- params: params:
- "autoindex on" - "autoindex on"
- "autoindex_exact_size off" - "autoindex_exact_size off"
- "add_before_body /.html/HEADER.html" - "add_before_body /.html/HEADER.html"

8
host_vars/irc.adm.crans.org.yml
View File

@ -4,6 +4,11 @@ interfaces:
srv: ens19 srv: ens19
loc_certbot: loc_certbot:
- dns_rfc2136_server: '172.16.10.147'
dns_rfc2136_name: certbot_challenge.
dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
mail: root@crans.org
certname: crans.org
domains: "irc.crans.org" domains: "irc.crans.org"
loc_nginx: loc_nginx:
@ -12,7 +17,8 @@ loc_nginx:
- server_name: - server_name:
- "irc.crans.org" - "irc.crans.org"
- "irc" - "irc"
ssl: true default: true
ssl: crans.org
locations: locations:
- filter: "^~ /web/" - filter: "^~ /web/"
params: params:

2
plays/irc.yml
View File

@ -2,7 +2,7 @@
--- ---
- hosts: irc - hosts: irc
vars: vars:
certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}' certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}' nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
thelounge: '{{ glob_thelounge | default({}) | combine(loc_thelounge | default({})) }}' thelounge: '{{ glob_thelounge | default({}) | combine(loc_thelounge | default({})) }}'
roles: roles:

4
plays/mailman.yml
View File

@ -8,6 +8,10 @@
default_url: "https://lists.crans.org/" default_url: "https://lists.crans.org/"
default_host: "lists.crans.org" default_host: "lists.crans.org"
default_language: "fr" default_language: "fr"
custom_logo: "crans_icon_dark.svg"
custom_logo_name: "crans.svg"
custom_logo_url: "https://www.crans.org/"
custom_logo_alt: "CRANS"
spamassassin: "SpamAssassin_crans" spamassassin: "SpamAssassin_crans"
smtphost: "smtp.adm.crans.org" smtphost: "smtp.adm.crans.org"
mynetworks: ['138.231.0.0/16', '185.230.76.0/22', '2a0c:700:0::/40'] mynetworks: ['138.231.0.0/16', '185.230.76.0/22', '2a0c:700:0::/40']

30
roles/nginx/tasks/main.yml
View File

@ -7,16 +7,22 @@
retries: 3 retries: 3
until: apt_result is succeeded until: apt_result is succeeded
- name: Copy snippets - name: Copy proxypass snippets
template: template:
src: "nginx/snippets/{{ item }}.j2" src: "nginx/snippets/options-proxypass.conf.j2"
dest: "/etc/nginx/snippets/{{ item }}" dest: "/etc/nginx/snippets/options-proxypass.conf"
owner: root owner: root
group: root group: root
mode: 0644 mode: 0644
loop:
- options-ssl.conf - name: Copy SSL snippets
- options-proxypass.conf template:
src: "nginx/snippets/options-ssl.conf.j2"
dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
owner: root
group: root
mode: 0644
loop: "{{ nginx.ssl }}"
- name: Copy dhparam - name: Copy dhparam
template: template:
@ -98,12 +104,6 @@
group: www-data group: www-data
mode: 0644 mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755
- name: Install passwords - name: Install passwords
when: nginx.auth_passwd|length > 0 when: nginx.auth_passwd|length > 0
template: template:
@ -119,3 +119,9 @@
owner: www-data owner: www-data
group: www-data group: www-data
mode: 0644 mode: 0644
- name: Indicate role in motd
template:
src: update-motd.d/05-service.j2
dest: /etc/update-motd.d/05-nginx
mode: 0755

42
roles/nginx/templates/nginx/sites-available/service.j2
View File

@ -19,7 +19,7 @@ upstream {{ upstream.name }} {
server { server {
listen 443 default_server ssl; listen 443 default_server ssl;
listen [::]:443 default_server ssl; listen [::]:443 default_server ssl;
include "/etc/nginx/snippets/options-ssl.conf"; include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
server_name _; server_name _;
charset utf-8; charset utf-8;
@ -55,8 +55,8 @@ server {
{% if server.ssl is defined and server.ssl -%} {% if server.ssl is defined and server.ssl -%}
# Redirect HTTP to HTTPS # Redirect HTTP to HTTPS
server { server {
listen 80; listen 80{% if server.default is defined and server.default %} default_server{% endif %};
listen [::]:80; listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
server_name {{ server.server_name|join(" ") }}; server_name {{ server.server_name|join(" ") }};
charset utf-8; charset utf-8;
@ -72,9 +72,9 @@ server {
server { server {
{% if server.ssl is defined and server.ssl -%} {% if server.ssl is defined and server.ssl -%}
listen 443 ssl; listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
listen [::]:443 ssl; listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
include "/etc/nginx/snippets/options-ssl.conf"; include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%} {% else -%}
listen 80 default; listen 80 default;
listen [::]:80 default; listen [::]:80 default;
@ -86,29 +86,21 @@ server {
# Hide Nginx version # Hide Nginx version
server_tokens off; server_tokens off;
{% if server.root is defined -%} {% if server.root is defined %}root {{ server.root }};{% endif %}
root {{ server.root }}; {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
{% endif -%}
{% if server.index is defined -%}
index {{ server.index|join(" ") }};
{% endif -%}
{% if server.access_log is defined -%} {% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
access_log {{ server.access_log }}; {% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
{% endif -%}
{% if server.error_log is defined -%}
error_log {{ server.error_log }};
{% endif -%}
{% if server.locations is defined -%} {% if server.locations is defined %}
{% for location in server.locations %}
{% for location in server.locations -%}
location {{ location.filter }} { location {{ location.filter }} {
{% for param in location.params -%} {% for param in location.params %}
{{ param }}; {{ param }};
{% endfor -%} {% endfor %}
} }
{% endfor -%}
{% endif -%} {% endfor %}
{% endif %}
} }
{% endfor %} {% endfor %}

6
roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
View File

@ -1,7 +1,7 @@
{{ ansible_header | comment }} {{ ansible_header | comment }}
ssl_certificate {{ nginx.ssl.cert }}; ssl_certificate {{ item.cert }};
ssl_certificate_key {{ nginx.ssl.cert_key }}; ssl_certificate_key {{ item.cert_key }};
ssl_session_timeout 1d; ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off; ssl_session_tickets off;
@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain # Enable OCSP Stapling, point to certificate chain
ssl_stapling on; ssl_stapling on;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate {{ nginx.ssl.trusted_cert }}; ssl_trusted_certificate {{ item.trusted_cert }};

3
roles/nginx/templates/update-motd.d/10-service.j2
View File

@ -1,3 +0,0 @@
#!/usr/bin/tail +14
{{ ansible_header | comment }}
> NGINX a été déployé sur cette machine. Voir /etc/nginx/.