Initial commit

2021-01-04 22:28:13 +01:00 · 2021-01-04 22:28:13 +01:00 · e214e929a6
commit e214e929a6
7 changed files with 190 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,16 @@
 # Websites ansible role
 This role is here to setup a website with nginx, and letsencrypt certificates using acme.sh.
 Without parameters, this setups nginx, php-fpm, with a default http to https redirection and letsencrypt passthrough.
 The TLS port is 8443 (on localhost) for sslh passthrough.
 Uses the acme_sh role.
 ## Role parameters
 ``websites_enabled``: a list of websites to enable, the first of which will serve as an identifer for acme.sh.
 it expects the website-specific nginx config files to be in ``<playbook root>/templates/nginx/<domain>.conf.j2``. If a file is not found (e.g. because the file serves both ``www.`` and ``@``), it will continue the process anyway.
--- a/files/letsencrypt
+++ b/files/letsencrypt
@ -0,0 +1,6 @@
 location /.well-known/acme-challenge/ {
    root /var/lib/letsencrypt/webroot/;
    allow all;
    default_type text/plain;
    break;
 }
--- a/files/nginx.conf
+++ b/files/nginx.conf
@ -0,0 +1,43 @@
 user http;
 worker_processes  4;
 error_log  /var/log/nginx/error.log info;
 #error_log  logs/error.log  notice;
 events {
    worker_connections  1024;
 }
 http {
    include       mime.types;
    include       redir.conf;
    include       conf.d/*.conf;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    types_hash_max_size 4096;
    index  index.xhtml index.html index.htm;
    port_in_redirect off;
    add_header X-Frame-Options DENY;
    add_header Referrer-policy "no-referrer";
    add_header Expect-CT "enforce; max-age=86400";
    #add_header X-Content-Type-Options nosniff;
    #add_header Content-Security-Policy "script-src 'self'";
    add_header X-XSS-Protection "1; mode=block";
    #access_log  logs/access.log  main;
    sendfile        on;
    #tcp_nopush     on;
    #keepalive_timeout  0;
    #keepalive_timeout  65;
    gzip  on;
 }
--- a/files/redir.conf
+++ b/files/redir.conf
@ -0,0 +1,9 @@
 server {
    listen 80;
    listen [::]:80;
    server_name _;
    include letsencrypt;
    location / {
        return 301 https://$host$request_uri;
    }
 }
--- a/tasks/add_websites.yml
+++ b/tasks/add_websites.yml
@ -0,0 +1,33 @@
 ---
 - name: Install tls params
  template:
    dest: "/etc/nginx/tls_{{ websites_enabled[0] }}"
    src: tls.j2
    mode: 0600
    owner: http
    group: http
 - name: Generate certs
  include_role:
    name: acme_sh
  vars:
    acme_domains: websites_enabled
    acme_dest: /etc/nginx/certs/
    acme_owner: http
    acme_reload_cmd: "systemctl reload nginx || true"
 - name: Install nginx websites
  template:
    src: "{{ playbook_dir }}/templates/nginx/{{ item }}.conf"
    dest: "/etc/nginx/conf.d/{{ item }}.conf"
    owner: http
    group: http
    mode: 0600
  ignore_errors: true
  loop: "{{ websites_enabled }}"
 - name: reload nginx
  systemd:
    enabled: true
    name: nginx
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,69 @@
 # Main tasks: install base nginx and letsencrypt redirect
 ---
 - name: Install packages
  community.general.pacman:
    state: present
    name:
      - nginx
      - php-fpm
      - mime-types
 - name: Generate dhparam
  command:
    cmd: openssl dhparam -out /etc/nginx/dh-4096.pem 4096
    creates: /etc/nginx/dh-4096.pem
 - name: Enable php-fpm
  systemd:
    enabled: true
    state: started
    name: php-fpm
 - name: Create letsencrypt directory
  file:
    path: /var/lib/letsencrypt/webroot/.well-known/acme-challenge/
    recurse: true
    state: directory
    mode: 0755
    owner: http
    group: http
 - name: create cert dir
  file:
    path: /etc/nginx/certs/
    recurse: true
    state: directory
    mode: 0711
    owner: http
    group: http
 - name: create conf dir
  file:
    path: /etc/nginx/conf.d/
    recurse: true
    state: directory
    mode: 0711
    owner: http
    group: http
 - name: Install config
  copy:
    src: '{{ item }}'
    dest: "/etc/nginx/{{ item }}"
    owner: http
    group: http
    mode: 0600
  loop:
    - nginx.conf
    - redir.conf
    - letsencrypt
 - name: Start nginx
  systemd:
    enabled: true
    state: started
    name: nginx
 - include: add_websites.yml
  when: websites_enabled is defined
--- a/templates/tls.j2
+++ b/templates/tls.j2
@ -0,0 +1,14 @@
    ssl_certificate /etc/nginx/certs/{{ websites_enabled[0] }}.crt;
    ssl_certificate_key /etc/nginx/certs/{{ websites_enabled[0] }}.key;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_dhparam dh-4096.pem;
    ssl_prefer_server_ciphers on;
    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
    ssl_session_cache shared:SSL:10m;
    ssl_session_tickets off; # Requires nginx >= 1.5.9
    ssl_stapling on; # Requires nginx >= 1.3.7
    ssl_stapling_verify on; # Requires nginx => 1.3.7
    resolver_timeout 5s;
    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";