sum7
/
ansible-role-webserver
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

init

This commit is contained in:
genofire 2020-07-21 02:22:32 +02:00
commit cd6fac6570
7 changed files with 162 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
handlers/main.yml Normal file
View File

@ -0,0 +1,8 @@
---
- name: reload nginx
systemd:
name: nginx
state: reloaded
- name: dehydrated
command: /usr/bin/dehydrated -c

66
tasks/main.yml Normal file
View File

@ -0,0 +1,66 @@
- name: Install
package:
name:
- nginx
- dehydrated
- name: create folders
file:
path: "{{ item }}"
state: directory
with_items:
- /srv/http/.well-known/acme-challenge
- /etc/nginx/sites.d
- /etc/nginx/snippets
- name: templates
notify: reload nginx
template:
src: "{{ item.file }}"
dest: "/etc/nginx/{{ item.path }}"
with_items:
- file: nginx.conf
path: nginx.conf
- file: letsencrypt.nginx
path: snippets/letsencrypt.conf
- file: 00-tls-redirect.nginx
path: sites.d/00-tls-redirect.act
- name: started
systemd:
name: nginx
state: started
- name: config dehydrated
template:
src: dehydrated
dest: /etc/dehydrated/config
- name: get let's encrypt account
command: /usr/bin/dehydrated --register --accept-terms
args:
creates: /etc/dehydrated/accounts
- name: get inventory_hostname cert
notify: dehydrated
lineinfile:
path: /etc/dehydrated/domains.txt
line: "{{ inventory_hostname }}"
create: yes
- name: templates
notify: reload nginx
template:
src: "10-tls.nginx"
dest: "/etc/nginx/sites.d/10-tls.act"
- name: enabled dehydrated
systemd:
name: dehydrated.timer
state: started
enabled: yes
- name: enabled nginx
systemd:
name: nginx
enabled: yes

12
templates/00-tls-redirect.nginx Normal file
View File

@ -0,0 +1,12 @@
server {
listen [::]:80;
listen 80;
server_name _;
location / {
return 301 https://$host$request_uri;
}
include snippets/letsencrypt.conf;
}

21
templates/10-tls.nginx Normal file
View File

@ -0,0 +1,21 @@
server {
listen [::]:443 ssl http2;
listen 443 ssl http2;
server_name {{ inventory_hostname }};
ssl_certificate /etc/dehydrated/certs/{{ inventory_hostname }}/fullchain.pem;
ssl_certificate_key /etc/dehydrated/certs/{{ inventory_hostname }}/privkey.pem;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
include snippets/letsencrypt.conf;
}

2
templates/dehydrated Normal file
View File

@ -0,0 +1,2 @@
WELLKNOWN=/srv/http/.well-known/acme-challenge
CONTACT_EMAIL={{ nginx_dehydrated_email }}

4
templates/letsencrypt.nginx Normal file
View File

@ -0,0 +1,4 @@
location /.well-known/acme-challenge {
alias /srv/http/.well-known/acme-challenge;
allow all;
}

49
templates/nginx.conf Normal file
View File

@ -0,0 +1,49 @@
#user html;
worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
types_hash_max_size 2048;
types_hash_bucket_size 128;
server_names_hash_bucket_size 128;
access_log off;
sendfile on;
#tcp_nopush on;
keepalive_timeout 65;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m; # about 40000 sessions
ssl_session_tickets off;
# intermediate configuration
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
# OCSP stapling
ssl_stapling on;
ssl_stapling_verify on;
gzip on;
include /etc/nginx/sites.d/*.act;
}