From 766fba77f93f0c3aede555d6203049c71bc618b9 Mon Sep 17 00:00:00 2001
From: Geno <geno+dev@fireorbit.de>
Date: Tue, 8 Dec 2020 23:54:31 +0100
Subject: [PATCH] with letsencrypt support

---
 defaults/main.yml           |  3 ++-
 handlers/main.yml           |  3 +++
 tasks/main.yml              |  4 ++++
 tasks/tls.yml               | 43 +++++++++++++++++++++++++++++++++++++
 templates/dehydrated        |  2 ++
 templates/letsencrypt.nginx |  4 ++++
 templates/nginx.conf        | 28 +++++++++++++++++++++++-
 7 files changed, 85 insertions(+), 2 deletions(-)
 create mode 100644 tasks/tls.yml
 create mode 100644 templates/dehydrated
 create mode 100644 templates/letsencrypt.nginx

diff --git a/defaults/main.yml b/defaults/main.yml
index a37f5ec..15ee4fe 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -5,4 +5,5 @@ osp_edge_allow:
 - "::1"
 - "127.0.0.1"
 
-
+osp_edge_tls_enabled: False
+osp_edge_hostname: "{{ inventory_hostname }}"
diff --git a/handlers/main.yml b/handlers/main.yml
index e0af6b0..900d59f 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -2,3 +2,6 @@
   systemd:
     name: nginx
     state: reloaded
+
+- name: dehydrated
+  command: /usr/bin/dehydrated -c
diff --git a/tasks/main.yml b/tasks/main.yml
index 829d763..c725bfa 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -54,3 +54,7 @@
     name: nginx
     state: started
     enabled: yes
+
+- name: tls
+  import_tasks: tls.yml
+  when: osp_edge_tls_enabled
diff --git a/tasks/tls.yml b/tasks/tls.yml
new file mode 100644
index 0000000..0383f71
--- /dev/null
+++ b/tasks/tls.yml
@@ -0,0 +1,43 @@
+- name: Install
+  package:
+    name: dehydrated
+
+- name: create folders
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+  - /etc/nginx/sites.d
+  - /etc/nginx/local.d
+  - /etc/nginx/snippets
+
+- name: create folders
+  file:
+    path: "/srv/http/.well-known/acme-challenge"
+    state: directory
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "{{ item.file }}"
+    dest: "/etc/nginx/{{ item.path }}"
+  with_items:
+  - file: letsencrypt.nginx
+    path: snippets/letsencrypt.conf
+
+- name: config dehydrated
+  template:
+    src: dehydrated
+    dest: /etc/dehydrated/config
+
+- name: get let's encrypt account 
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /etc/dehydrated/accounts
+
+- name: get inventory_hostname cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ osp_edge_hostname }}"
+    create: yes
diff --git a/templates/dehydrated b/templates/dehydrated
new file mode 100644
index 0000000..f5b2fac
--- /dev/null
+++ b/templates/dehydrated
@@ -0,0 +1,2 @@
+WELLKNOWN=/srv/http/.well-known/acme-challenge
+CONTACT_EMAIL={{ webserver_dehydrated_email  }}
diff --git a/templates/letsencrypt.nginx b/templates/letsencrypt.nginx
new file mode 100644
index 0000000..f8b03d4
--- /dev/null
+++ b/templates/letsencrypt.nginx
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge {
+	alias /srv/http/.well-known/acme-challenge;
+	allow all;
+}
diff --git a/templates/nginx.conf b/templates/nginx.conf
index 5260bb5..eff6ccb 100644
--- a/templates/nginx.conf
+++ b/templates/nginx.conf
@@ -63,6 +63,7 @@ http {
 
     server {
         listen   9000;
+        listen   [::]:9000;
 
         allow 127.0.0.1; # keep save there is one allowed
 {% for h in osp_edge_allow %}
@@ -86,7 +87,9 @@ http {
 
         # set client body size to 16M #
         client_max_body_size 16M;
-
+{% if osp_edge_tls_enabled %}
+	include snippets/letsencrypt.conf;
+{% endif %}
         include osp-redirects.conf;
 
         # redirect server error pages to the static page /50x.html
@@ -95,6 +98,29 @@ http {
             root   html;
         }
     }
+{% if osp_edge_tls_enabled %}
+    server {
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+
+	server_name {{ osp_edge_hostname }};
+
+	ssl_certificate /etc/dehydrated/certs/{{ osp_edge_hostname }}/fullchain.pem;
+	ssl_certificate_key /etc/dehydrated/certs/{{ osp_edge_hostname }}/privkey.pem;
+
+        # set client body size to 16M #
+        client_max_body_size 16M;
+
+	include snippets/letsencrypt.conf;
+        include osp-redirects.conf;
+
+        # redirect server error pages to the static page /50x.html
+        error_page   500 502 503 504  /50x.html;
+        location = /50x.html {
+            root   html;
+        }
+    }
+{% endif %}
 }
 
 include osp-rtmp.conf;