commit
e214e929a6
@ -0,0 +1,16 @@ |
||||
# Websites ansible role |
||||
|
||||
This role is here to setup a website with nginx, and letsencrypt certificates using acme.sh. |
||||
|
||||
Without parameters, this setups nginx, php-fpm, with a default http to https redirection and letsencrypt passthrough. |
||||
|
||||
The TLS port is 8443 (on localhost) for sslh passthrough. |
||||
|
||||
Uses the acme_sh role. |
||||
|
||||
## Role parameters |
||||
|
||||
``websites_enabled``: a list of websites to enable, the first of which will serve as an identifer for acme.sh. |
||||
|
||||
it expects the website-specific nginx config files to be in ``<playbook root>/templates/nginx/<domain>.conf.j2``. If a file is not found (e.g. because the file serves both ``www.`` and ``@``), it will continue the process anyway. |
||||
|
||||
@ -0,0 +1,6 @@ |
||||
location /.well-known/acme-challenge/ { |
||||
root /var/lib/letsencrypt/webroot/; |
||||
allow all; |
||||
default_type text/plain; |
||||
break; |
||||
} |
||||
@ -0,0 +1,43 @@ |
||||
|
||||
user http; |
||||
worker_processes 4; |
||||
|
||||
error_log /var/log/nginx/error.log info; |
||||
#error_log logs/error.log notice; |
||||
|
||||
events { |
||||
worker_connections 1024; |
||||
} |
||||
|
||||
|
||||
http { |
||||
include mime.types; |
||||
|
||||
include redir.conf; |
||||
include conf.d/*.conf; |
||||
|
||||
default_type application/octet-stream; |
||||
server_names_hash_bucket_size 64; |
||||
types_hash_max_size 4096; |
||||
index index.xhtml index.html index.htm; |
||||
|
||||
|
||||
port_in_redirect off; |
||||
|
||||
add_header X-Frame-Options DENY; |
||||
add_header Referrer-policy "no-referrer"; |
||||
add_header Expect-CT "enforce; max-age=86400"; |
||||
#add_header X-Content-Type-Options nosniff; |
||||
#add_header Content-Security-Policy "script-src 'self'"; |
||||
add_header X-XSS-Protection "1; mode=block"; |
||||
|
||||
#access_log logs/access.log main; |
||||
|
||||
sendfile on; |
||||
#tcp_nopush on; |
||||
|
||||
#keepalive_timeout 0; |
||||
#keepalive_timeout 65; |
||||
|
||||
gzip on; |
||||
} |
||||
@ -0,0 +1,9 @@ |
||||
server { |
||||
listen 80; |
||||
listen [::]:80; |
||||
server_name _; |
||||
include letsencrypt; |
||||
location / { |
||||
return 301 https://$host$request_uri; |
||||
} |
||||
} |
||||
@ -0,0 +1,33 @@ |
||||
--- |
||||
|
||||
- name: Install tls params |
||||
template: |
||||
dest: "/etc/nginx/tls_{{ websites_enabled[0] }}" |
||||
src: tls.j2 |
||||
mode: 0600 |
||||
owner: http |
||||
group: http |
||||
|
||||
- name: Generate certs |
||||
include_role: |
||||
name: acme_sh |
||||
vars: |
||||
acme_domains: websites_enabled |
||||
acme_dest: /etc/nginx/certs/ |
||||
acme_owner: http |
||||
acme_reload_cmd: "systemctl reload nginx || true" |
||||
|
||||
- name: Install nginx websites |
||||
template: |
||||
src: "{{ playbook_dir }}/templates/nginx/{{ item }}.conf" |
||||
dest: "/etc/nginx/conf.d/{{ item }}.conf" |
||||
owner: http |
||||
group: http |
||||
mode: 0600 |
||||
ignore_errors: true |
||||
loop: "{{ websites_enabled }}" |
||||
|
||||
- name: reload nginx |
||||
systemd: |
||||
enabled: true |
||||
name: nginx |
||||
@ -0,0 +1,69 @@ |
||||
# Main tasks: install base nginx and letsencrypt redirect |
||||
--- |
||||
|
||||
- name: Install packages |
||||
community.general.pacman: |
||||
state: present |
||||
name: |
||||
- nginx |
||||
- php-fpm |
||||
- mime-types |
||||
|
||||
- name: Generate dhparam |
||||
command: |
||||
cmd: openssl dhparam -out /etc/nginx/dh-4096.pem 4096 |
||||
creates: /etc/nginx/dh-4096.pem |
||||
|
||||
- name: Enable php-fpm |
||||
systemd: |
||||
enabled: true |
||||
state: started |
||||
name: php-fpm |
||||
|
||||
- name: Create letsencrypt directory |
||||
file: |
||||
path: /var/lib/letsencrypt/webroot/.well-known/acme-challenge/ |
||||
recurse: true |
||||
state: directory |
||||
mode: 0755 |
||||
owner: http |
||||
group: http |
||||
|
||||
- name: create cert dir |
||||
file: |
||||
path: /etc/nginx/certs/ |
||||
recurse: true |
||||
state: directory |
||||
mode: 0711 |
||||
owner: http |
||||
group: http |
||||
|
||||
- name: create conf dir |
||||
file: |
||||
path: /etc/nginx/conf.d/ |
||||
recurse: true |
||||
state: directory |
||||
mode: 0711 |
||||
owner: http |
||||
group: http |
||||
|
||||
- name: Install config |
||||
copy: |
||||
src: '{{ item }}' |
||||
dest: "/etc/nginx/{{ item }}" |
||||
owner: http |
||||
group: http |
||||
mode: 0600 |
||||
loop: |
||||
- nginx.conf |
||||
- redir.conf |
||||
- letsencrypt |
||||
|
||||
- name: Start nginx |
||||
systemd: |
||||
enabled: true |
||||
state: started |
||||
name: nginx |
||||
|
||||
- include: add_websites.yml |
||||
when: websites_enabled is defined |
||||
@ -0,0 +1,14 @@ |
||||
ssl_certificate /etc/nginx/certs/{{ websites_enabled[0] }}.crt; |
||||
ssl_certificate_key /etc/nginx/certs/{{ websites_enabled[0] }}.key; |
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3; |
||||
ssl_dhparam dh-4096.pem; |
||||
ssl_prefer_server_ciphers on; |
||||
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; |
||||
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0 |
||||
ssl_session_cache shared:SSL:10m; |
||||
ssl_session_tickets off; # Requires nginx >= 1.5.9 |
||||
ssl_stapling on; # Requires nginx >= 1.3.7 |
||||
ssl_stapling_verify on; # Requires nginx => 1.3.7 |
||||
resolver_timeout 5s; |
||||
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"; |
||||
Loading…
Reference in new issue