Initial commit

2021-01-04 22:28:13 +01:00 · 2021-01-04 22:28:13 +01:00 · e214e929a6
commit e214e929a6
7 changed files with 190 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,16 @@
+# Websites ansible role
+
+This role is here to setup a website with nginx, and letsencrypt certificates using acme.sh.
+
+Without parameters, this setups nginx, php-fpm, with a default http to https redirection and letsencrypt passthrough.
+
+The TLS port is 8443 (on localhost) for sslh passthrough.
+
+Uses the acme_sh role.
+
+## Role parameters
+
+``websites_enabled``: a list of websites to enable, the first of which will serve as an identifer for acme.sh.
+
+it expects the website-specific nginx config files to be in ``<playbook root>/templates/nginx/<domain>.conf.j2``. If a file is not found (e.g. because the file serves both ``www.`` and ``@``), it will continue the process anyway.
+
--- a/files/letsencrypt
+++ b/files/letsencrypt
@ -0,0 +1,6 @@
+location /.well-known/acme-challenge/ {
+    root /var/lib/letsencrypt/webroot/;
+    allow all;
+    default_type text/plain;
+    break;
+}
--- a/files/nginx.conf
+++ b/files/nginx.conf
@ -0,0 +1,43 @@
+
+user http;
+worker_processes  4;
+
+error_log  /var/log/nginx/error.log info;
+#error_log  logs/error.log  notice;
+
+events {
+    worker_connections  1024;
+}
+
+
+http {
+    include       mime.types;
+
+    include       redir.conf;
+    include       conf.d/*.conf;
+
+    default_type  application/octet-stream;
+    server_names_hash_bucket_size 64;
+    types_hash_max_size 4096;
+    index  index.xhtml index.html index.htm;
+
+
+    port_in_redirect off;
+
+    add_header X-Frame-Options DENY;
+    add_header Referrer-policy "no-referrer";
+    add_header Expect-CT "enforce; max-age=86400";
+    #add_header X-Content-Type-Options nosniff;
+    #add_header Content-Security-Policy "script-src 'self'";
+    add_header X-XSS-Protection "1; mode=block";
+
+    #access_log  logs/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    #keepalive_timeout  0;
+    #keepalive_timeout  65;
+
+    gzip  on;
+}
--- a/files/redir.conf
+++ b/files/redir.conf
@ -0,0 +1,9 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+    include letsencrypt;
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
--- a/tasks/add_websites.yml
+++ b/tasks/add_websites.yml
@ -0,0 +1,33 @@
+---
+
+- name: Install tls params
+  template:
+    dest: "/etc/nginx/tls_{{ websites_enabled[0] }}"
+    src: tls.j2
+    mode: 0600
+    owner: http
+    group: http
+
+- name: Generate certs
+  include_role:
+    name: acme_sh
+  vars:
+    acme_domains: websites_enabled
+    acme_dest: /etc/nginx/certs/
+    acme_owner: http
+    acme_reload_cmd: "systemctl reload nginx || true"
+
+- name: Install nginx websites
+  template:
+    src: "{{ playbook_dir }}/templates/nginx/{{ item }}.conf"
+    dest: "/etc/nginx/conf.d/{{ item }}.conf"
+    owner: http
+    group: http
+    mode: 0600
+  ignore_errors: true
+  loop: "{{ websites_enabled }}"
+
+- name: reload nginx
+  systemd:
+    enabled: true
+    name: nginx
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,69 @@
+# Main tasks: install base nginx and letsencrypt redirect
+---
+
+- name: Install packages
+  community.general.pacman:
+    state: present
+    name:
+      - nginx
+      - php-fpm
+      - mime-types
+
+- name: Generate dhparam
+  command:
+    cmd: openssl dhparam -out /etc/nginx/dh-4096.pem 4096
+    creates: /etc/nginx/dh-4096.pem
+
+- name: Enable php-fpm
+  systemd:
+    enabled: true
+    state: started
+    name: php-fpm
+
+- name: Create letsencrypt directory
+  file:
+    path: /var/lib/letsencrypt/webroot/.well-known/acme-challenge/
+    recurse: true
+    state: directory
+    mode: 0755
+    owner: http
+    group: http
+
+- name: create cert dir
+  file:
+    path: /etc/nginx/certs/
+    recurse: true
+    state: directory
+    mode: 0711
+    owner: http
+    group: http
+
+- name: create conf dir
+  file:
+    path: /etc/nginx/conf.d/
+    recurse: true
+    state: directory
+    mode: 0711
+    owner: http
+    group: http
+
+- name: Install config
+  copy:
+    src: '{{ item }}'
+    dest: "/etc/nginx/{{ item }}"
+    owner: http
+    group: http
+    mode: 0600
+  loop:
+    - nginx.conf
+    - redir.conf
+    - letsencrypt
+
+- name: Start nginx
+  systemd:
+    enabled: true
+    state: started
+    name: nginx
+
+- include: add_websites.yml
+  when: websites_enabled is defined
--- a/templates/tls.j2
+++ b/templates/tls.j2
@ -0,0 +1,14 @@
+    ssl_certificate /etc/nginx/certs/{{ websites_enabled[0] }}.crt;
+    ssl_certificate_key /etc/nginx/certs/{{ websites_enabled[0] }}.key;
+
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_dhparam dh-4096.pem;
+    ssl_prefer_server_ciphers on;
+    ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
+    ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_tickets off; # Requires nginx >= 1.5.9
+    ssl_stapling on; # Requires nginx >= 1.3.7
+    ssl_stapling_verify on; # Requires nginx => 1.3.7
+    resolver_timeout 5s;
+    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";