roles: run ansible-lint --write
This commit is contained in:
@ -14,11 +14,11 @@ nginx_ssl_session_cache: shared:SSL:10m
|
||||
# 1400 bytes to fit in one MTU (default is 16k!)
|
||||
nginx_ssl_buffer_size: 1400
|
||||
nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
|
||||
nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
|
||||
nginx_ssl_protocols: TLSv1.2 TLSv1.3
|
||||
|
||||
# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
|
||||
# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
|
||||
nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
|
||||
nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
|
||||
|
||||
# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
|
||||
# in seconds, see: https://hstspreload.org/
|
||||
|
||||
@ -1,91 +1,90 @@
|
||||
---
|
||||
|
||||
# Use acme.sh instead of certbot because they only support installation via
|
||||
# snap now.
|
||||
- block:
|
||||
- name: Remove certbot
|
||||
ansible.builtin.apt:
|
||||
name: certbot
|
||||
state: absent
|
||||
- name: Remove certbot
|
||||
ansible.builtin.apt:
|
||||
name: certbot
|
||||
state: absent
|
||||
|
||||
- name: Remove old certbot post and pre hooks for nginx
|
||||
ansible.builtin.file:
|
||||
dest: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
|
||||
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
|
||||
- name: Remove old certbot post and pre hooks for nginx
|
||||
ansible.builtin.file:
|
||||
dest: "{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
|
||||
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
|
||||
|
||||
- name: Check if acme.sh is installed
|
||||
ansible.builtin.stat:
|
||||
path: "{{ letsencrypt_acme_home }}"
|
||||
register: acme_home
|
||||
- name: Check if acme.sh is installed
|
||||
ansible.builtin.stat:
|
||||
path: "{{ letsencrypt_acme_home }}"
|
||||
register: acme_home
|
||||
|
||||
- name: Download acme.sh
|
||||
ansible.builtin.get_url:
|
||||
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
|
||||
dest: "{{ letsencrypt_acme_script_temp }}"
|
||||
mode: 0700
|
||||
register: acme_download
|
||||
when: not acme_home.stat.exists
|
||||
- name: Download acme.sh
|
||||
ansible.builtin.get_url:
|
||||
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
|
||||
dest: "{{ letsencrypt_acme_script_temp }}"
|
||||
mode: "0700"
|
||||
register: acme_download
|
||||
when: not acme_home.stat.exists
|
||||
|
||||
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
|
||||
# have to chdir to the /root directory where the script exists or else it
|
||||
# fails. Ansible runs it, but the script can't find itself...).
|
||||
- name: Install acme.sh
|
||||
ansible.builtin.command:
|
||||
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
|
||||
creates: "{{ letsencrypt_acme_home }}/acme.sh"
|
||||
chdir: /root
|
||||
register: acme_install
|
||||
when: acme_download is changed
|
||||
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
|
||||
# have to chdir to the /root directory where the script exists or else it
|
||||
# fails. Ansible runs it, but the script can't find itself...).
|
||||
- name: Install acme.sh
|
||||
ansible.builtin.command:
|
||||
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
|
||||
creates: "{{ letsencrypt_acme_home }}/acme.sh"
|
||||
chdir: /root
|
||||
register: acme_install
|
||||
when: acme_download is changed
|
||||
|
||||
- name: Remove temporary acme.sh script
|
||||
ansible.builtin.file:
|
||||
dest: "{{ letsencrypt_acme_script_temp }}"
|
||||
state: absent
|
||||
when:
|
||||
- acme_install.rc is defined
|
||||
- acme_install.rc == 0
|
||||
- name: Remove temporary acme.sh script
|
||||
ansible.builtin.file:
|
||||
dest: "{{ letsencrypt_acme_script_temp }}"
|
||||
state: absent
|
||||
when:
|
||||
- acme_install.rc is defined
|
||||
- acme_install.rc == 0
|
||||
|
||||
- name: Set default certificate authority for acme.sh
|
||||
ansible.builtin.command:
|
||||
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
|
||||
- name: Set default certificate authority for acme.sh
|
||||
ansible.builtin.command:
|
||||
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
|
||||
|
||||
- name: Prepare Let's Encrypt well-known directory
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: /var/lib/letsencrypt/.well-known
|
||||
owner: root
|
||||
group: nginx
|
||||
mode: g+s
|
||||
- name: Prepare Let's Encrypt well-known directory
|
||||
ansible.builtin.file:
|
||||
state: directory
|
||||
path: /var/lib/letsencrypt/.well-known
|
||||
owner: root
|
||||
group: nginx
|
||||
mode: g+s
|
||||
|
||||
- name: Copy systemd service to renew Let's Encrypt certs
|
||||
ansible.builtin.template:
|
||||
src: renew-letsencrypt.service.j2
|
||||
dest: /etc/systemd/system/renew-letsencrypt.service
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
- name: Copy systemd service to renew Let's Encrypt certs
|
||||
ansible.builtin.template:
|
||||
src: renew-letsencrypt.service.j2
|
||||
dest: /etc/systemd/system/renew-letsencrypt.service
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Copy systemd timer to renew Let's Encrypt certs
|
||||
ansible.builtin.copy:
|
||||
src: renew-letsencrypt.timer
|
||||
dest: /etc/systemd/system/renew-letsencrypt.timer
|
||||
mode: 0644
|
||||
owner: root
|
||||
group: root
|
||||
- name: Copy systemd timer to renew Let's Encrypt certs
|
||||
ansible.builtin.copy:
|
||||
src: renew-letsencrypt.timer
|
||||
dest: /etc/systemd/system/renew-letsencrypt.timer
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
# always issues daemon-reload just in case the service/timer changed
|
||||
- name: Start and enable systemd timer to renew Let's Encrypt certs
|
||||
ansible.builtin.systemd:
|
||||
name: renew-letsencrypt.timer
|
||||
state: started
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
# always issues daemon-reload just in case the service/timer changed
|
||||
- name: Start and enable systemd timer to renew Let's Encrypt certs
|
||||
ansible.builtin.systemd:
|
||||
name: renew-letsencrypt.timer
|
||||
state: started
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
|
||||
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
|
||||
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
|
||||
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
|
||||
is version('11', '>='))
|
||||
tags: letsencrypt
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
---
|
||||
- name: Remove nginx apt signing key from apt-key
|
||||
ansible.builtin.apt_key:
|
||||
id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
|
||||
id: "053473772654754373614404074646527257655730117366337542"
|
||||
state: absent
|
||||
tags:
|
||||
- packages
|
||||
@ -21,7 +21,7 @@
|
||||
dest: /usr/share/keyrings/nginx_signing.key
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: download_nginx_signing_key
|
||||
when: not nginx_signing_key_stat.stat.exists
|
||||
tags:
|
||||
@ -34,7 +34,7 @@
|
||||
dest: /etc/apt/sources.list.d/nginx_org_sources.list
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
register: add_nginx_apt_repository
|
||||
tags:
|
||||
- nginx
|
||||
@ -43,9 +43,7 @@
|
||||
- name: Update apt cache
|
||||
ansible.builtin.apt: # noqa no-handler
|
||||
update_cache: true
|
||||
when:
|
||||
(download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
|
||||
add_nginx_apt_repository is changed
|
||||
when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
|
||||
|
||||
- name: Install nginx
|
||||
ansible.builtin.apt:
|
||||
@ -60,7 +58,7 @@
|
||||
ansible.builtin.template:
|
||||
src: nginx.conf.j2
|
||||
dest: /etc/nginx/nginx.conf
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
@ -70,8 +68,8 @@
|
||||
- name: Copy extra nginx configs
|
||||
ansible.builtin.copy:
|
||||
src: "{{ item }}"
|
||||
dest: "/etc/nginx/{{ item }}"
|
||||
mode: 0644
|
||||
dest: /etc/nginx/{{ item }}
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
loop:
|
||||
@ -93,7 +91,7 @@
|
||||
state: directory
|
||||
owner: nginx
|
||||
group: nginx
|
||||
mode: 0755
|
||||
mode: "0755"
|
||||
tags: nginx
|
||||
|
||||
- name: Configure nginx virtual hosts
|
||||
@ -110,7 +108,7 @@
|
||||
ansible.builtin.template:
|
||||
src: blank-vhost.conf.j2
|
||||
dest: "{{ nginx_confd_path }}/blank-vhost.conf"
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
@ -121,7 +119,7 @@
|
||||
ansible.builtin.copy:
|
||||
src: munin.conf
|
||||
dest: /etc/nginx/conf.d/munin.conf
|
||||
mode: 0644
|
||||
mode: "0644"
|
||||
owner: root
|
||||
group: root
|
||||
notify:
|
||||
|
||||
@ -1,29 +1,29 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Configure https vhosts
|
||||
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
- name: Configure https vhosts
|
||||
ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
- name: Generate self-signed TLS cert
|
||||
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
|
||||
notify:
|
||||
- reload nginx
|
||||
- name: Generate self-signed TLS cert
|
||||
ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
|
||||
-out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
- name: Download 4096-bit RFC 7919 dhparams
|
||||
ansible.builtin.get_url:
|
||||
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
|
||||
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
|
||||
dest: "{{ nginx_ssl_dhparam }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
- name: Download 4096-bit RFC 7919 dhparams
|
||||
ansible.builtin.get_url:
|
||||
url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
|
||||
checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
|
||||
dest: "{{ nginx_ssl_dhparam }}"
|
||||
notify:
|
||||
- reload nginx
|
||||
|
||||
# TODO: this could break because we can override the document root in host vars
|
||||
- name: Create vhost document roots
|
||||
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
# TODO: this could break because we can override the document root in host vars
|
||||
- name: Create vhost document roots
|
||||
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
tags: nginx
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
||||
@ -1,19 +1,19 @@
|
||||
---
|
||||
|
||||
- block:
|
||||
- name: Install WordPress
|
||||
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
|
||||
when:
|
||||
- item.has_wordpress is defined
|
||||
- item.has_wordpress
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
- name: Install WordPress
|
||||
ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
|
||||
}} depth=1 force=true
|
||||
when:
|
||||
- item.has_wordpress is defined
|
||||
- item.has_wordpress
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
|
||||
- name: Fix WordPress directory permissions
|
||||
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
|
||||
when:
|
||||
- item.has_wordpress is defined
|
||||
- item.has_wordpress
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
- name: Fix WordPress directory permissions
|
||||
ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
|
||||
when:
|
||||
- item.has_wordpress is defined
|
||||
- item.has_wordpress
|
||||
loop: "{{ nginx_vhosts }}"
|
||||
tags: wordpress
|
||||
|
||||
# vim: set ts=2 sw=2:
|
||||
|
||||
Reference in New Issue
Block a user