sum7
/
ansible-role-openstreamingplatform-edge
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

with letsencrypt support

This commit is contained in:
Geno 2020-12-08 23:54:31 +01:00
parent 11d7e0162b
commit 766fba77f9
7 changed files with 85 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
defaults/main.yml
View File

@ -5,4 +5,5 @@ osp_edge_allow:
- "::1" - "::1"
- "127.0.0.1" - "127.0.0.1"
osp_edge_tls_enabled: False
osp_edge_hostname: "{{ inventory_hostname }}"

3
handlers/main.yml
View File

@ -2,3 +2,6 @@
systemd: systemd:
name: nginx name: nginx
state: reloaded state: reloaded
- name: dehydrated
command: /usr/bin/dehydrated -c

4
tasks/main.yml
View File

@ -54,3 +54,7 @@
name: nginx name: nginx
state: started state: started
enabled: yes enabled: yes
- name: tls
import_tasks: tls.yml
when: osp_edge_tls_enabled

43
tasks/tls.yml Normal file
View File

@ -0,0 +1,43 @@
- name: Install
package:
name: dehydrated
- name: create folders
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/nginx/sites.d
- /etc/nginx/local.d
- /etc/nginx/snippets
- name: create folders
file:
path: "/srv/http/.well-known/acme-challenge"
state: directory
- name: templates
notify: reload nginx
template:
src: "{{ item.file }}"
dest: "/etc/nginx/{{ item.path }}"
with_items:
- file: letsencrypt.nginx
path: snippets/letsencrypt.conf
- name: config dehydrated
template:
src: dehydrated
dest: /etc/dehydrated/config
- name: get let's encrypt account
command: /usr/bin/dehydrated --register --accept-terms
args:
creates: /etc/dehydrated/accounts
- name: get inventory_hostname cert
notify: dehydrated
lineinfile:
path: /etc/dehydrated/domains.txt
line: "{{ osp_edge_hostname }}"
create: yes

2
templates/dehydrated Normal file
View File

@ -0,0 +1,2 @@
WELLKNOWN=/srv/http/.well-known/acme-challenge
CONTACT_EMAIL={{ webserver_dehydrated_email }}

4
templates/letsencrypt.nginx Normal file
View File

@ -0,0 +1,4 @@
location /.well-known/acme-challenge {
alias /srv/http/.well-known/acme-challenge;
allow all;
}

28
templates/nginx.conf
View File

@ -63,6 +63,7 @@ http {
server { server {
listen 9000; listen 9000;
listen [::]:9000;
allow 127.0.0.1; # keep save there is one allowed allow 127.0.0.1; # keep save there is one allowed
{% for h in osp_edge_allow %} {% for h in osp_edge_allow %}
@ -86,7 +87,9 @@ http {
# set client body size to 16M # # set client body size to 16M #
client_max_body_size 16M; client_max_body_size 16M;
{% if osp_edge_tls_enabled %}
include snippets/letsencrypt.conf;
{% endif %}
include osp-redirects.conf; include osp-redirects.conf;
# redirect server error pages to the static page /50x.html # redirect server error pages to the static page /50x.html
@ -95,6 +98,29 @@ http {
root html; root html;
} }
} }
{% if osp_edge_tls_enabled %}
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name {{ osp_edge_hostname }};
ssl_certificate /etc/dehydrated/certs/{{ osp_edge_hostname }}/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/{{ osp_edge_hostname }}/privkey.pem;
# set client body size to 16M #
client_max_body_size 16M;
include snippets/letsencrypt.conf;
include osp-redirects.conf;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
{% endif %}
} }
include osp-rtmp.conf; include osp-rtmp.conf;