Initial commit

This commit is contained in:
Mathieu Pasquet 2021-01-04 22:28:13 +01:00
commit e214e929a6
7 changed files with 190 additions and 0 deletions

16
README.md Normal file
View File

@ -0,0 +1,16 @@
# Websites ansible role
This role is here to setup a website with nginx, and letsencrypt certificates using acme.sh.
Without parameters, this setups nginx, php-fpm, with a default http to https redirection and letsencrypt passthrough.
The TLS port is 8443 (on localhost) for sslh passthrough.
Uses the acme_sh role.
## Role parameters
``websites_enabled``: a list of websites to enable, the first of which will serve as an identifer for acme.sh.
it expects the website-specific nginx config files to be in ``<playbook root>/templates/nginx/<domain>.conf.j2``. If a file is not found (e.g. because the file serves both ``www.`` and ``@``), it will continue the process anyway.

6
files/letsencrypt Normal file
View File

@ -0,0 +1,6 @@
location /.well-known/acme-challenge/ {
root /var/lib/letsencrypt/webroot/;
allow all;
default_type text/plain;
break;
}

43
files/nginx.conf Normal file
View File

@ -0,0 +1,43 @@
user http;
worker_processes 4;
error_log /var/log/nginx/error.log info;
#error_log logs/error.log notice;
events {
worker_connections 1024;
}
http {
include mime.types;
include redir.conf;
include conf.d/*.conf;
default_type application/octet-stream;
server_names_hash_bucket_size 64;
types_hash_max_size 4096;
index index.xhtml index.html index.htm;
port_in_redirect off;
add_header X-Frame-Options DENY;
add_header Referrer-policy "no-referrer";
add_header Expect-CT "enforce; max-age=86400";
#add_header X-Content-Type-Options nosniff;
#add_header Content-Security-Policy "script-src 'self'";
add_header X-XSS-Protection "1; mode=block";
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
#keepalive_timeout 65;
gzip on;
}

9
files/redir.conf Normal file
View File

@ -0,0 +1,9 @@
server {
listen 80;
listen [::]:80;
server_name _;
include letsencrypt;
location / {
return 301 https://$host$request_uri;
}
}

33
tasks/add_websites.yml Normal file
View File

@ -0,0 +1,33 @@
---
- name: Install tls params
template:
dest: "/etc/nginx/tls_{{ websites_enabled[0] }}"
src: tls.j2
mode: 0600
owner: http
group: http
- name: Generate certs
include_role:
name: acme_sh
vars:
acme_domains: websites_enabled
acme_dest: /etc/nginx/certs/
acme_owner: http
acme_reload_cmd: "systemctl reload nginx || true"
- name: Install nginx websites
template:
src: "{{ playbook_dir }}/templates/nginx/{{ item }}.conf"
dest: "/etc/nginx/conf.d/{{ item }}.conf"
owner: http
group: http
mode: 0600
ignore_errors: true
loop: "{{ websites_enabled }}"
- name: reload nginx
systemd:
enabled: true
name: nginx

69
tasks/main.yml Normal file
View File

@ -0,0 +1,69 @@
# Main tasks: install base nginx and letsencrypt redirect
---
- name: Install packages
community.general.pacman:
state: present
name:
- nginx
- php-fpm
- mime-types
- name: Generate dhparam
command:
cmd: openssl dhparam -out /etc/nginx/dh-4096.pem 4096
creates: /etc/nginx/dh-4096.pem
- name: Enable php-fpm
systemd:
enabled: true
state: started
name: php-fpm
- name: Create letsencrypt directory
file:
path: /var/lib/letsencrypt/webroot/.well-known/acme-challenge/
recurse: true
state: directory
mode: 0755
owner: http
group: http
- name: create cert dir
file:
path: /etc/nginx/certs/
recurse: true
state: directory
mode: 0711
owner: http
group: http
- name: create conf dir
file:
path: /etc/nginx/conf.d/
recurse: true
state: directory
mode: 0711
owner: http
group: http
- name: Install config
copy:
src: '{{ item }}'
dest: "/etc/nginx/{{ item }}"
owner: http
group: http
mode: 0600
loop:
- nginx.conf
- redir.conf
- letsencrypt
- name: Start nginx
systemd:
enabled: true
state: started
name: nginx
- include: add_websites.yml
when: websites_enabled is defined

14
templates/tls.j2 Normal file
View File

@ -0,0 +1,14 @@
ssl_certificate /etc/nginx/certs/{{ websites_enabled[0] }}.crt;
ssl_certificate_key /etc/nginx/certs/{{ websites_enabled[0] }}.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam dh-4096.pem;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off; # Requires nginx >= 1.5.9
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";