roles/nginx: Rework Let's Encrypt stuff
Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt.
This commit is contained in:
parent
1254cea195
commit
0cd2735c82
GPG Key ID:
0FB860CC9C45B1B9
@ -19,6 +19,9 @@ nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
|
|||||||
# Directory root for Let's Encrypt certs
|
# Directory root for Let's Encrypt certs
|
||||||
letsencrypt_root: /etc/letsencrypt/live
|
letsencrypt_root: /etc/letsencrypt/live
|
||||||
|
|
||||||
|
# Location of Let's Encrypt's certbot script
|
||||||
|
letsencrypt_certbot_dest: /opt/certbot-auto
|
||||||
|
|
||||||
# stable is 1.10.x
|
# stable is 1.10.x
|
||||||
# mainline is 1.11.x
|
# mainline is 1.11.x
|
||||||
nginx_version: mainline
|
nginx_version: mainline
|
||||||
|
|||||||
12
roles/nginx/files/renew-letsencrypt.timer
Normal file
12
roles/nginx/files/renew-letsencrypt.timer
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Daily renewal of Let's Encrypt's certificates
|
||||||
|
|
||||||
|
[Timer]
|
||||||
|
# twice a day, at midnight and noon
|
||||||
|
OnCalendar=*-*-* 00,12:00:00
|
||||||
|
# Add a random delay of 0–3600 seconds
|
||||||
|
RandomizedDelaySec=3600
|
||||||
|
Persistent=true
|
||||||
|
|
||||||
|
[Install]
|
||||||
|
WantedBy=timers.target
|
||||||
22
roles/nginx/tasks/letsencrypt.yml
Normal file
22
roles/nginx/tasks/letsencrypt.yml
Normal file
@ -0,0 +1,22 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
- name: Copy systemd service to renew Let's Encrypt certs
|
||||||
|
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root
|
||||||
|
register: letsencrypt_service
|
||||||
|
|
||||||
|
- name: Copy systemd timer to renew Let's Encrypt certs
|
||||||
|
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root
|
||||||
|
register: letsencrypt_timer
|
||||||
|
|
||||||
|
# need to reload to pick up service/timer changes
|
||||||
|
- name: Reload systemd daemon
|
||||||
|
command: /bin/systemctl daemon-reload
|
||||||
|
when: letsencrypt_service|changed or letsencrypt_timer|changed
|
||||||
|
|
||||||
|
- name: Start and enable systemd timer to renew Let's Encrypt certs
|
||||||
|
service: name=renew-letsencrypt.timer state=started enabled=yes
|
||||||
|
|
||||||
|
- name: Download certbot
|
||||||
|
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
|
||||||
|
|
||||||
|
# vim: set ts=2 sw=2:
|
||||||
@ -32,4 +32,8 @@
|
|||||||
with_items: "{{ nginx_vhosts }}"
|
with_items: "{{ nginx_vhosts }}"
|
||||||
tags: wordpress
|
tags: wordpress
|
||||||
|
|
||||||
|
- include: letsencrypt.yml
|
||||||
|
when: use_letsencrypt == 'yes'
|
||||||
|
tags: letsencrypt
|
||||||
|
|
||||||
# vim: set ts=2 sw=2:
|
# vim: set ts=2 sw=2:
|
||||||
|
|||||||
@ -2,28 +2,22 @@
|
|||||||
{% set domain_name = item.domain_name %}
|
{% set domain_name = item.domain_name %}
|
||||||
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
|
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
|
||||||
{% set enable_hsts = item.enable_hsts | default("no") %}
|
{% set enable_hsts = item.enable_hsts | default("no") %}
|
||||||
{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
|
|
||||||
{% set use_letsencrypt = item.use_letsencrypt | default("no") %}
|
|
||||||
|
|
||||||
{% if use_letsencrypt == "yes" %}
|
{# first, check if the current vhost has a custom cert (perhaps self-signed) #}
|
||||||
|
{% if item.tls_certificate_path and item.tls_key_path %}
|
||||||
# concatenated key + cert
|
|
||||||
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
|
||||||
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
|
|
||||||
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
|
|
||||||
|
|
||||||
{% elif item.tls_certificate_path and item.tls_key_path %}
|
|
||||||
|
|
||||||
# concatenated key + cert
|
# concatenated key + cert
|
||||||
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||||
ssl_certificate {{ item.tls_certificate_path }};
|
ssl_certificate {{ item.tls_certificate_path }};
|
||||||
ssl_certificate_key {{ item.tls_key_path }};
|
ssl_certificate_key {{ item.tls_key_path }};
|
||||||
|
|
||||||
|
{# otherwise, assume host is using letsencrypt #}
|
||||||
{% else %}
|
{% else %}
|
||||||
|
|
||||||
# "snakeoil" certificate (self signed!)
|
# concatenated key + cert
|
||||||
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
|
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
|
||||||
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
|
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
|
||||||
|
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
|
||||||
|
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
||||||
|
|||||||
6
roles/nginx/templates/renew-letsencrypt.service.j2
Normal file
6
roles/nginx/templates/renew-letsencrypt.service.j2
Normal file
@ -0,0 +1,6 @@
|
|||||||
|
[Unit]
|
||||||
|
Description=Let's Encrypt renewal
|
||||||
|
|
||||||
|
[Service]
|
||||||
|
Type=oneshot
|
||||||
|
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"
|
||||||
Loading…
Reference in New Issue
Block a user