From cd6fac65701b49cc15b3156b88f24f146b5d33ad Mon Sep 17 00:00:00 2001
From: genofire <geno+dev@fireorbit.de>
Date: Tue, 21 Jul 2020 02:22:32 +0200
Subject: [PATCH] init

---
 handlers/main.yml               |  8 ++++
 tasks/main.yml                  | 66 +++++++++++++++++++++++++++++++++
 templates/00-tls-redirect.nginx | 12 ++++++
 templates/10-tls.nginx          | 21 +++++++++++
 templates/dehydrated            |  2 +
 templates/letsencrypt.nginx     |  4 ++
 templates/nginx.conf            | 49 ++++++++++++++++++++++++
 7 files changed, 162 insertions(+)
 create mode 100644 handlers/main.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/00-tls-redirect.nginx
 create mode 100644 templates/10-tls.nginx
 create mode 100644 templates/dehydrated
 create mode 100644 templates/letsencrypt.nginx
 create mode 100644 templates/nginx.conf

diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..3ee3fc9
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+- name: reload nginx
+  systemd:
+    name: nginx
+    state: reloaded
+
+- name: dehydrated
+  command: /usr/bin/dehydrated -c
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..a96306e
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,66 @@
+- name: Install
+  package:
+    name:
+    - nginx
+    - dehydrated
+
+- name: create folders
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+  - /srv/http/.well-known/acme-challenge
+  - /etc/nginx/sites.d
+  - /etc/nginx/snippets
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "{{ item.file }}"
+    dest: "/etc/nginx/{{ item.path }}"
+  with_items:
+  - file: nginx.conf
+    path: nginx.conf
+  - file: letsencrypt.nginx
+    path: snippets/letsencrypt.conf
+  - file: 00-tls-redirect.nginx
+    path: sites.d/00-tls-redirect.act
+
+- name: started
+  systemd:
+    name: nginx
+    state: started
+
+- name: config dehydrated
+  template:
+    src: dehydrated
+    dest: /etc/dehydrated/config
+
+- name: get let's encrypt account 
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /etc/dehydrated/accounts
+
+- name: get inventory_hostname cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ inventory_hostname }}"
+    create: yes
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "10-tls.nginx"
+    dest: "/etc/nginx/sites.d/10-tls.act"
+
+- name: enabled dehydrated
+  systemd:
+    name: dehydrated.timer
+    state: started
+    enabled: yes
+
+- name: enabled nginx
+  systemd:
+    name: nginx
+    enabled: yes
diff --git a/templates/00-tls-redirect.nginx b/templates/00-tls-redirect.nginx
new file mode 100644
index 0000000..5686ad5
--- /dev/null
+++ b/templates/00-tls-redirect.nginx
@@ -0,0 +1,12 @@
+server {
+	listen [::]:80;
+	listen 80;
+
+	server_name _;
+
+	location / {
+		return 301 https://$host$request_uri;
+	}
+
+	include snippets/letsencrypt.conf;
+}
diff --git a/templates/10-tls.nginx b/templates/10-tls.nginx
new file mode 100644
index 0000000..ee5a432
--- /dev/null
+++ b/templates/10-tls.nginx
@@ -0,0 +1,21 @@
+server {
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+
+	server_name {{ inventory_hostname }};
+
+	ssl_certificate /etc/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem;
+	ssl_certificate_key /etc/dehydrated/certs/{{ inventory_hostname }}/privkey.pem;
+
+	location / {
+		root   /usr/share/nginx/html;
+		index  index.html index.htm;
+	}
+
+	error_page   500 502 503 504  /50x.html;
+	location = /50x.html {
+		root   /usr/share/nginx/html;
+	}
+
+	include snippets/letsencrypt.conf;
+}
diff --git a/templates/dehydrated b/templates/dehydrated
new file mode 100644
index 0000000..5b0c982
--- /dev/null
+++ b/templates/dehydrated
@@ -0,0 +1,2 @@
+WELLKNOWN=/srv/http/.well-known/acme-challenge
+CONTACT_EMAIL={{ nginx_dehydrated_email  }}
diff --git a/templates/letsencrypt.nginx b/templates/letsencrypt.nginx
new file mode 100644
index 0000000..f8b03d4
--- /dev/null
+++ b/templates/letsencrypt.nginx
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge {
+	alias /srv/http/.well-known/acme-challenge;
+	allow all;
+}
diff --git a/templates/nginx.conf b/templates/nginx.conf
new file mode 100644
index 0000000..d1dab2c
--- /dev/null
+++ b/templates/nginx.conf
@@ -0,0 +1,49 @@
+#user html;
+worker_processes  1;
+
+#error_log  logs/error.log;
+#error_log  logs/error.log  notice;
+#error_log  logs/error.log  info;
+
+#pid	logs/nginx.pid;
+
+
+events {
+	worker_connections	1024;
+}
+
+
+http {
+	include		mime.types;
+	default_type	application/octet-stream;
+
+	types_hash_max_size 2048;
+	types_hash_bucket_size 128;
+	server_names_hash_bucket_size 128;
+
+	access_log	off;
+	sendfile	on;
+
+	#tcp_nopush		on;
+	keepalive_timeout	65;
+
+	ssl_session_timeout 1d;
+	ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
+	ssl_session_tickets off;
+
+	# intermediate configuration
+	ssl_protocols TLSv1.2 TLSv1.3;
+	ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+	ssl_prefer_server_ciphers off;
+
+	# HSTS (ngx_http_headers_module is required) (63072000 seconds)
+	add_header Strict-Transport-Security "max-age=63072000" always;
+
+	# OCSP stapling
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	gzip  on;
+
+	include /etc/nginx/sites.d/*.act; 
+}