with letsencrypt support

This commit is contained in:
Geno 2020-12-09 00:25:50 +01:00
parent 81c60a35c0
commit fec0c029d3
7 changed files with 91 additions and 9 deletions

View File

@ -7,6 +7,9 @@ osp_worker_timeout: 30
# should not be edited # should not be edited
osp_worker_worker: 1 osp_worker_worker: 1
osp_tls_enabled: False
osp_hostname: "{{ inventory_hostname }}"
osp_http_user: "http" osp_http_user: "http"
osp_http_group: "http" osp_http_group: "http"
osp_http_path: "/var/www" osp_http_path: "/var/www"
@ -24,5 +27,5 @@ osp_secret_key: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_s
osp_password_salt: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_password_salt length=8 chars=digits') }}" osp_password_salt: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_password_salt length=8 chars=digits') }}"
osp_allow_registration: yes osp_allow_registration: yes
osp_require_email_registration: yes osp_require_email_registration: yes
osp_ejabberd_domain: "CHANGEME" osp_ejabberd_domain: "{{ osp_hostname }}"
osp_ejabberd_password: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_ejabberd_password length=8 chars=digits') }}" osp_ejabberd_password: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_ejabberd_password length=8 chars=digits') }}"

View File

@ -14,6 +14,9 @@
name: nginx name: nginx
state: reloaded state: reloaded
- name: dehydrated
command: /usr/bin/dehydrated -c
- name: restart osp - name: restart osp
systemd: systemd:
name: osp.target name: osp.target

View File

@ -108,6 +108,10 @@
- live-adapt - live-adapt
- stream-thumb - stream-thumb
- name: tls
import_tasks: tls.yml
when: osp_tls_enabled
- name: Nginx - name: Nginx
systemd: systemd:
name: nginx name: nginx
@ -134,12 +138,12 @@
requirements: /opt/osp/setup/requirements.txt requirements: /opt/osp/setup/requirements.txt
virtualenv: /opt/osp-venv virtualenv: /opt/osp-venv
- name: Create cache directory #- name: Create cache directory
file: # file:
path: /var/cache/osp # path: /var/cache/osp
owner: "{{ osp_http_user }}" # owner: "{{ osp_http_user }}"
group: "{{ osp_http_group }}" # group: "{{ osp_http_group }}"
state: directory # state: directory
- name: Create logging directory - name: Create logging directory
file: file:

43
tasks/tls.yml Normal file
View File

@ -0,0 +1,43 @@
- name: Install
package:
name: dehydrated
- name: create folders
file:
path: "{{ item }}"
state: directory
with_items:
- /etc/nginx/sites.d
- /etc/nginx/local.d
- /etc/nginx/snippets
- name: create folders
file:
path: "/srv/http/.well-known/acme-challenge"
state: directory
- name: templates
notify: reload nginx
template:
src: "{{ item.file }}"
dest: "/etc/nginx/{{ item.path }}"
with_items:
- file: letsencrypt.nginx
path: snippets/letsencrypt.conf
- name: config dehydrated
template:
src: dehydrated
dest: /etc/dehydrated/config
- name: get let's encrypt account
command: /usr/bin/dehydrated --register --accept-terms
args:
creates: /etc/dehydrated/accounts
- name: get inventory_hostname cert
notify: dehydrated
lineinfile:
path: /etc/dehydrated/domains.txt
line: "{{ osp_hostname }}"
create: yes

2
templates/dehydrated Normal file
View File

@ -0,0 +1,2 @@
WELLKNOWN=/srv/http/.well-known/acme-challenge
CONTACT_EMAIL={{ webserver_dehydrated_email }}

View File

@ -0,0 +1,4 @@
location /.well-known/acme-challenge {
alias /srv/http/.well-known/acme-challenge;
allow all;
}

View File

@ -17,7 +17,7 @@ http {
include mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
proxy_cache_path /var/cache/osp levels=1:2 keys_zone=auth_cache:5m max_size=1g inactive=24h; proxy_cache_path /tmp/osp levels=1:2 keys_zone=auth_cache:5m max_size=1g inactive=24h;
sendfile on; sendfile on;
tcp_nopush on; tcp_nopush on;
@ -92,11 +92,32 @@ http {
root /opt/osp/static; root /opt/osp/static;
} }
} }
{% if osp_tls_enabled %}
server {
listen [::]:80;
listen 80;
location / {
return 301 https://$host$request_uri;
}
include snippets/letsencrypt.conf;
}
{% endif %}
# NGINX to OSP Gunicorn Processes Reverse Proxy # NGINX to OSP Gunicorn Processes Reverse Proxy
server { server {
{% if osp_tls_enabled %}
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name {{ osp_hostname }};
ssl_certificate /etc/dehydrated/certs/{{ osp_hostname }}/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/{{ osp_hostname }}/privkey.pem;
{% else %}
listen 80; listen 80;
listen [::]:80; listen [::]:80;
{% endif %}
# set client body size to 16M # # set client body size to 16M #
client_max_body_size 16M; client_max_body_size 16M;
@ -110,7 +131,9 @@ http {
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
} }
{% if osp_tls_enabled %}
include snippets/letsencrypt.conf;
{% endif %}
include osp-socketio.conf; include osp-socketio.conf;
include osp-redirects.conf; include osp-redirects.conf;