commit cd6fac65701b49cc15b3156b88f24f146b5d33ad Author: genofire Date: Tue Jul 21 02:22:32 2020 +0200 init diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..3ee3fc9 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,8 @@ +--- +- name: reload nginx + systemd: + name: nginx + state: reloaded + +- name: dehydrated + command: /usr/bin/dehydrated -c diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..a96306e --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,66 @@ +- name: Install + package: + name: + - nginx + - dehydrated + +- name: create folders + file: + path: "{{ item }}" + state: directory + with_items: + - /srv/http/.well-known/acme-challenge + - /etc/nginx/sites.d + - /etc/nginx/snippets + +- name: templates + notify: reload nginx + template: + src: "{{ item.file }}" + dest: "/etc/nginx/{{ item.path }}" + with_items: + - file: nginx.conf + path: nginx.conf + - file: letsencrypt.nginx + path: snippets/letsencrypt.conf + - file: 00-tls-redirect.nginx + path: sites.d/00-tls-redirect.act + +- name: started + systemd: + name: nginx + state: started + +- name: config dehydrated + template: + src: dehydrated + dest: /etc/dehydrated/config + +- name: get let's encrypt account + command: /usr/bin/dehydrated --register --accept-terms + args: + creates: /etc/dehydrated/accounts + +- name: get inventory_hostname cert + notify: dehydrated + lineinfile: + path: /etc/dehydrated/domains.txt + line: "{{ inventory_hostname }}" + create: yes + +- name: templates + notify: reload nginx + template: + src: "10-tls.nginx" + dest: "/etc/nginx/sites.d/10-tls.act" + +- name: enabled dehydrated + systemd: + name: dehydrated.timer + state: started + enabled: yes + +- name: enabled nginx + systemd: + name: nginx + enabled: yes diff --git a/templates/00-tls-redirect.nginx b/templates/00-tls-redirect.nginx new file mode 100644 index 0000000..5686ad5 --- /dev/null +++ b/templates/00-tls-redirect.nginx @@ -0,0 +1,12 @@ +server { + listen [::]:80; + listen 80; + + server_name _; + + location / { + return 301 https://$host$request_uri; + } + + include snippets/letsencrypt.conf; +} diff --git a/templates/10-tls.nginx b/templates/10-tls.nginx new file mode 100644 index 0000000..ee5a432 --- /dev/null +++ b/templates/10-tls.nginx @@ -0,0 +1,21 @@ +server { + listen [::]:443 ssl http2; + listen 443 ssl http2; + + server_name {{ inventory_hostname }}; + + ssl_certificate /etc/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem; + ssl_certificate_key /etc/dehydrated/certs/{{ inventory_hostname }}/privkey.pem; + + location / { + root /usr/share/nginx/html; + index index.html index.htm; + } + + error_page 500 502 503 504 /50x.html; + location = /50x.html { + root /usr/share/nginx/html; + } + + include snippets/letsencrypt.conf; +} diff --git a/templates/dehydrated b/templates/dehydrated new file mode 100644 index 0000000..5b0c982 --- /dev/null +++ b/templates/dehydrated @@ -0,0 +1,2 @@ +WELLKNOWN=/srv/http/.well-known/acme-challenge +CONTACT_EMAIL={{ nginx_dehydrated_email }} diff --git a/templates/letsencrypt.nginx b/templates/letsencrypt.nginx new file mode 100644 index 0000000..f8b03d4 --- /dev/null +++ b/templates/letsencrypt.nginx @@ -0,0 +1,4 @@ +location /.well-known/acme-challenge { + alias /srv/http/.well-known/acme-challenge; + allow all; +} diff --git a/templates/nginx.conf b/templates/nginx.conf new file mode 100644 index 0000000..d1dab2c --- /dev/null +++ b/templates/nginx.conf @@ -0,0 +1,49 @@ +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + include mime.types; + default_type application/octet-stream; + + types_hash_max_size 2048; + types_hash_bucket_size 128; + server_names_hash_bucket_size 128; + + access_log off; + sendfile on; + + #tcp_nopush on; + keepalive_timeout 65; + + ssl_session_timeout 1d; + ssl_session_cache shared:MozSSL:10m; # about 40000 sessions + ssl_session_tickets off; + + # intermediate configuration + ssl_protocols TLSv1.2 TLSv1.3; + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; + ssl_prefer_server_ciphers off; + + # HSTS (ngx_http_headers_module is required) (63072000 seconds) + add_header Strict-Transport-Security "max-age=63072000" always; + + # OCSP stapling + ssl_stapling on; + ssl_stapling_verify on; + + gzip on; + + include /etc/nginx/sites.d/*.act; +}