letsencrypt gefixt und nginx konfigurationen neu strukturiert

1a2a8c89 · void · 1b1f61b8 · 1a2a8c89 · 1b1f61b8 · 1b1f61b8
Commit 1a2a8c89 authored 8 years ago by void
--- a/host_vars/webserver
+++ b/host_vars/webserver
@@ -12,6 +12,17 @@ debian_sources:
  - "deb http://ftp.halifax.rwth-aachen.de/debian/ jessie-updates main contrib non-free"
  - "deb http://apt.dockerproject.org/repo debian-jessie main"
+letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
+letsencrypt_mail: verwaltung@warpzone.ms
+webserver_domains: 
+  - "gitlab"
+  - "infra"
+  - "infra-test"
+  - "ldap"
+  - "mattermost"
+  - "pad"
 administratorenteam:
  - "void"

--- a/webserver/nginx/files/default
+++ b/webserver/nginx/files/default
-server {
-	listen 80;
-	listen [::]:80;
-        listen 443 ssl spdy;
-        listen [::]:443 ssl spdy;
-        ssl_certificate /etc/ssl/fullchain.pem;
-        ssl_certificate_key /etc/ssl/key.pem;
-        ssl_session_cache shared:SSL:5m;
-        ssl_session_timeout 5m;
-        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-        ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-        ssl_prefer_server_ciphers on;
-	server_name wz.dyhost.de;
-	root /var/www/html;
-	index index.html;
-        location / {
-                # First attempt to serve request as file, then
-                # as directory, then fall back to displaying a 404.
-                try_files $uri $uri/ =404;
-                gzip_types text/plain text/css application/json application/javascript;
-        }
-        location /data {
-                expires 0;
-                add_header Cache-Control private;
-                add_header Vary Accept-Encoding;
-                access_log off;
-		gzip_types text/plain application/json;
-        }
-        # Gitlab
-        # Docker Container
-        location /gitlab/  {
-                proxy_set_header        Host $host;
-                proxy_set_header        X-Real-IP $remote_addr;
-                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header        X-Forwarded-Proto $scheme;
-                proxy_pass      http://127.0.0.1:42001/gitlab/;
-                proxy_redirect  off;
-        }
-}
--- a/webserver/nginx/files/default-init
+++ b/webserver/nginx/files/default-init
-server {
-	listen 80;
-	listen [::]:80;
-	server_name _;
-	root /var/www/html;
-	index index.html;
-        location / {
-                # First attempt to serve request as file, then
-                # as directory, then fall back to displaying a 404.
-                try_files $uri $uri/ =404;
-                gzip_types text/plain text/css application/json application/javascript;
-        }
-        location /data {
-                expires 0;
-                add_header Cache-Control private;
-                add_header Vary Accept-Encoding;
-                access_log off;
-		gzip_types text/plain application/json;
-        }
-        # Gitlab
-        # Docker Container
-        location /gitlab/  {
-                proxy_set_header        Host $host;
-                proxy_set_header        X-Real-IP $remote_addr;
-                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header        X-Forwarded-Proto $scheme;
-                proxy_pass      http://127.0.0.1:42001/gitlab/;
-                proxy_redirect  off;
-        }
-}
--- a/webserver/nginx/files/mattermost
+++ b/webserver/nginx/files/mattermost
-# This file is managed by gitlab-ctl. Manual changes will be
-# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
-# and run `sudo gitlab-ctl reconfigure`.
-## GitLab Mattermost
-upstream gitlab_mattermost {
-  server 127.0.0.1:8065;
-}
-map $http_upgrade $connection_upgrade {
-  default upgrade;
-  ''      close;
-}
-server {
-	listen 80;
-	listen [::]:80;
-    	server_name    mattermost.warpzone.ms;
-	location /.well-known/ {
-                root /var/www/html/;
-        }
-        location / {
-                return         301 https://$server_name$request_uri;
-        }
-}
-server {
-    	listen 443 ssl spdy;
-    	listen [::]:443 ssl spdy;
-    	server_name mattermost.warpzone.ms;
-    	ssl_certificate /etc/ssl/fullchain.pem;
-    	ssl_certificate_key /etc/ssl/key.pem;
-    	ssl_session_cache shared:SSL:5m;
-    	ssl_session_timeout 5m;
-    	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-    	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-    	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-    	ssl_prefer_server_ciphers on;
-    	server_tokens off;     # don't show the version number, a security best practice
-    	client_max_body_size 0;
-    	#  access_log  /var/log/gitlab/nginx/gitlab_mattermost_access.log gitlab_mattermost_access;
-    	error_log   /var/log/gitlab/nginx/gitlab_mattermost_error.log;
-    	location /.well-known/ {
-                root /var/www/html/;
-        }
-    	location / {
-        	proxy_read_timeout      300;
-        	proxy_connect_timeout   300;
-        	proxy_redirect          off;
-		proxy_set_header   X-Forwarded-Proto $scheme;
-        	proxy_set_header   Host              $http_host;
-        	proxy_set_header   X-Real-IP         $remote_addr;
-        	proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
-        	proxy_set_header   X-Frame-Options   SAMEORIGIN;
-        	proxy_set_header Upgrade $http_upgrade;
-        	proxy_set_header Connection $connection_upgrade;
-        	proxy_pass http://gitlab_mattermost;
-    	}
-}
--- a/webserver/nginx/files/phpldapadmin
+++ b/webserver/nginx/files/phpldapadmin
-server {
-    listen      80;
-    return 301 https://$host$request_uri;
-}
-server {
-    listen 443 ssl spdy;
-    listen [::]:443 ssl spdy;
-    server_name ldap.warpzone.ms;
-    root /dev/null;
-    index index.html;
-    ssl on;
-	ssl_certificate /etc/ssl/fullchain.pem;
-	ssl_certificate_key /etc/ssl/key.pem;
-	ssl_session_cache shared:SSL:5m;
-	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-	ssl_prefer_server_ciphers on;
-    charset     utf-8;
-    client_max_body_size 100M;   # adjust to taste
-	location /.well-known/ {
-		root /var/www/html/;
-	}
-    location /  {
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_pass      http://127.0.0.1:42004/;
-        	proxy_redirect  off;
-    }
-}
--- a/webserver/nginx/files/warpinfra
+++ b/webserver/nginx/files/warpinfra
-upstream warpinfra {
-    server unix:///tmp/warpinfra/warpinfra.sock;
-}
-server {
-    listen      80;
-    server_name infra.warpzone.ms;
-    return 301 https://$host$request_uri;
-}
-server {
-    listen 443 ssl spdy;
-    listen [::]:443 ssl spdy;
-    server_name infra.warpzone.ms;
-    root /dev/null;
-    index index.html;
-    ssl on;
-	ssl_certificate /etc/ssl/fullchain.pem;
-	ssl_certificate_key /etc/ssl/key.pem;
-	ssl_session_cache shared:SSL:5m;
-	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-	ssl_prefer_server_ciphers on;
-    charset     utf-8;
-    client_max_body_size 100M;   # adjust to taste
-	location /.well-known/ {
-		root /var/www/html/;
-    }
-    location /static {
-        alias /tmp/warpinfra/static; # your Django project's static files - amend as required
-    }
-    location / {
-        uwsgi_pass  warpinfra;
-        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
-    }
-}
--- a/webserver/nginx/files/warpinfratest
+++ b/webserver/nginx/files/warpinfratest
-upstream warpinfratest {
-    server unix:///tmp/warpinfratest/warpinfra.sock;
-}
-server {
-    listen      8080;
-    server_name infra.warpzone.ms;
-    return 301 https://$host$request_uri:8443;
-}
-server {
-    listen 8443 ssl spdy;
-    listen [::]:8443 ssl spdy;
-    server_name infra.warpzone.ms;
-    root /dev/null;
-    index index.html;
-    ssl on;
-	ssl_certificate /etc/ssl/fullchain.pem;
-	ssl_certificate_key /etc/ssl/key.pem;
-	ssl_session_cache shared:SSL:5m;
-	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-	ssl_prefer_server_ciphers on;
-    charset     utf-8;
-    client_max_body_size 100M;   # adjust to taste
-	location /.well-known/ {
-		root /var/www/html/;
-    }
-    location /static {
-        alias /tmp/warpinfratest/static; # your Django project's static files - amend as required
-    }
-    location / {
-        uwsgi_pass  warpinfratest;
-        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
-    }
-}
--- a/webserver/nginx/files/gitlab
+++ b/webserver/nginx/files/gitlab
-server {
-	listen 80;
-	listen [::]:80;
-	server_name    gitlab.warpzone.ms;
-	location /.well-known/ {
-                root /var/www/html/;
-        }
-	location / {
-	    	return         301 https://$server_name$request_uri;
-	}
-}
-server {
-	listen 443 ssl spdy;
-    	listen [::]:443 ssl spdy;
-	ssl_certificate /etc/ssl/fullchain.pem;
-	ssl_certificate_key /etc/ssl/key.pem;
-	ssl_session_cache shared:SSL:5m;
-	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
-	ssl_prefer_server_ciphers on;    
-	server_name gitlab.warpzone.ms;
-	root /dev/null;
-	index index.html;
-	location /.well-known/ {
-		root /var/www/html/;
-	}
 	location /  {
        	proxy_set_header        Host $host;
        	proxy_set_header        X-Real-IP $remote_addr;
@@ -40,4 +9,3 @@ server {
        	proxy_redirect  off;
    }
-}
--- a/webserver/nginx/includes/infra
+++ b/webserver/nginx/includes/infra
+    location /static {
+        alias /tmp/warpinfra/static; # your Django project's static files - amend as required
+    }
+    location / {
+        uwsgi_pass  unix:///tmp/warpinfra/warpinfra.sock; 
+        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
+    }
--- a/webserver/nginx/includes/infra-test
+++ b/webserver/nginx/includes/infra-test
+    location /static {
+        alias /tmp/warpinfratest/static; # your Django project's static files - amend as required
+    }
+    location / {
+        uwsgi_pass  unix:///tmp/warpinfratest/warpinfra.sock;
+        include     /etc/nginx/uwsgi_params; # the uwsgi_params file you installed
+    }
--- a/webserver/nginx/includes/mattermost
+++ b/webserver/nginx/includes/mattermost
+  server_tokens off;     # don't show the version number, a security best practice
+  client_max_body_size 0;
+    	location / {
+        	proxy_read_timeout      300;
+        	proxy_connect_timeout   300;
+        	proxy_redirect          off;
+ 		    proxy_set_header   X-Forwarded-Proto $scheme;
+        	proxy_set_header   Host              $http_host;
+        	proxy_set_header   X-Real-IP         $remote_addr;
+        	proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        	proxy_set_header   X-Frame-Options   SAMEORIGIN;
+        	proxy_set_header Upgrade $http_upgrade;
+        	proxy_set_header Connection $connection_upgrade;
+        	proxy_pass http://127.0.0.1:8065;
+    	}
--- a/webserver/nginx/includes/pad
+++ b/webserver/nginx/includes/pad
+	location /  {
+        	proxy_set_header        Host $host;
+        	proxy_set_header        X-Real-IP $remote_addr;
+	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        	proxy_set_header        X-Forwarded-Proto $scheme;
+	        proxy_pass      http://127.0.0.1:42003/;
+        	proxy_redirect  off;
+    }
--- a/webserver/nginx/includes/phpldapadmin
+++ b/webserver/nginx/includes/phpldapadmin
+    location /  {
+        	proxy_set_header        Host $host;
+        	proxy_set_header        X-Real-IP $remote_addr;
+	        proxy_pass      http://127.0.0.1:42004/;
+        	proxy_redirect  off;
+    }
--- a/webserver/nginx/tasks/main.yml
+++ b/webserver/nginx/tasks/main.yml
@@ -6,71 +6,72 @@
    state: installed
  with_items:
    - nginx
+    - git
+    - ca-certificates 
+    - gcc
+    - libssl-dev 
+    - libffi-dev
+    - python
+    - python-dev
+    - virtualenv
- stat: path=/etc/ssl/fullchain.pem
+- name: nginx default Konfig entfernen 
-  register: sslcert
+  file: 
+    path: /etc/nginx/sites-enabled/default 
+    state: absent
-# nginx konfigurieren
- name: Konfig-Datei default-init kopieren
-  copy: src=default-init dest=/etc/nginx/sites-available/default
-  notify: restart nginx
-  when: sslcert.stat.exists == False
- name: nginx restarten wenn initial
+# sinp_le installieren 
-  meta: flush_handlers
-  when: sslcert.stat.exists == False
- name: Letsencrypt-Zertifikat beantragen und installieren
+- name: create folder simp_le 
-  shell: "cd /usr/src && if [ ! -e simp_le ]; then git clone https://github.com/kuba/simp_le; fi && cd simp_le && ./bootstrap.sh && if [ ! -e venv/bin/python ]; then ./venv.sh; fi && export PATH=/usr/src/simp_le/venv/bin:$PATH && cd /etc/ssl && simp_le --email info@warpzone.ms -f account_key.json -f key.pem -f fullchain.pem -d gitlab.warpzone.ms:/var/www/html -d mattermost.warpzone.ms:/var/www/html -d infra.warpzone.ms:/var/www/html -d ldap.warpzone.ms:/var/www/html -d pad.warpzone.ms:/var/www/html" 
+  file: 
-  notify: restart nginx
+    path: "/opt/simp_le/" 
-  when: sslcert.stat.exists == False
+    state: "directory"
- name: Konfig-Datei default kopieren
+- name: clone simp_le repo
-  copy: src=default dest=/etc/nginx/sites-available/default
+  git: 
-  notify: restart nginx
+    repo: "https://github.com/zenhack/simp_le.git" 
+    version: "60ee2111609022e6550dbe137c2a6064890a5ca0"
+    dest: "/opt/simp_le/" 
- name: Konfig-Datei etherpad kopieren
-  copy: src=etherpad dest=/etc/nginx/sites-available/etherpad
-  notify: restart nginx
- name: Activate etherpad config
+# LetsEncrypt Script erstellen 
-  file: src=/etc/nginx/sites-available/etherpad dest=/etc/nginx/sites-enabled/etherpad state=link
- name: Konfig-Datei gitlab kopieren
-  copy: src=gitlab dest=/etc/nginx/sites-available/gitlab
-  notify: restart nginx
- name: Activate gitlab config
+- name: LetsEncrypt Script erstellen 
-  file: src=/etc/nginx/sites-available/gitlab dest=/etc/nginx/sites-enabled/gitlab state=link
+  template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
+  register: letsencryptsh
- name: Konfig-Datei mattermost kopieren
+- name: Cronjob für Zertifikatserneuerung
-  copy: src=gitlab dest=/etc/nginx/sites-available/gitlab
+  cron: name="letsencrypt" weekday="2" hour="20" minute="0" job="/opt/letsencrypt.sh"
-  notify: restart nginx
- name: Activate mattermost config
-  file: src=/etc/nginx/sites-available/mattermost dest=/etc/nginx/sites-enabled/mattermost state=link
- name: Konfig-Datei warpinfra kopieren
-  copy: src=warpinfra dest=/etc/nginx/sites-available/warpinfra
-  notify: restart nginx
- name: Activate warpinfra config
+# nginx konfigurieren (initial, falls noch kein Zertifikat existiert)
-  file: src=/etc/nginx/sites-available/warpinfra dest=/etc/nginx/sites-enabled/warpinfra state=link
+- name: check if fullchain.pem exists
+  stat: path=/etc/ssl/fullchain.pem
+  register: sslcert
- name: Konfig-Datei warpinfratest kopieren
+- name: Konfig-Datei default erstellen (initial)
-  copy: src=warpinfratest dest=/etc/nginx/sites-available/warpinfratest
+  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms
+  with_items: webserver_domains
  notify: restart nginx
+  when: sslcert.stat.exists == False
+- name: nginx restarten (initial)
+  meta: flush_handlers
+  when: sslcert.stat.exists == False
+- name: Letsencrypt-Zertifikat beantragen und installieren 
+  shell: "/opt/letsencrypt.sh" 
+  when: sslcert.stat.exists == False or letsencryptsh.changed
- name: Activate warpinfratest config
+# nginx konfigurieren
-  file: src=/etc/nginx/sites-available/warpinfratest dest=/etc/nginx/sites-enabled/warpinfratest state=link
- name: Konfig-Datei phpldapadmin kopieren
+- name: Konfig-Datei default erstellen
-  copy: src=phpldapadmin dest=/etc/nginx/sites-available/phpldapadmin
+  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms
+  with_items: webserver_domains
  notify: restart nginx
- name: Activate phpldapadmin config
-  file: src=/etc/nginx/sites-available/phpldapadmin dest=/etc/nginx/sites-enabled/phpldapadmin state=link
- name: Cronjob für Zertifikatserneuerung
-  cron: name="simp_le" weekday="2" hour="20" minute="0" job="cd /etc/ssl && PATH=/usr/src/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin simp_le --email info@warpzone.ms -f account_key.json -f key.pem -f fullchain.pem -d gitlab.warpzone.ms:/var/www/html -d mattermost.warpzone.ms:/var/www/html -d infra.warpzone.ms:/var/www/html -d ldap.warpzone.ms:/var/www/html -d pad.warpzone.ms:/var/www/html && systemctl reload nginx"
--- a/webserver/nginx/templates/letsencrypt.sh
+++ b/webserver/nginx/templates/letsencrypt.sh
+#!/bin/bash
+cd /opt/simp_le/ 
+if [ ! -e venv/bin/python ]; then ./venv.sh; fi 
+cd /etc/ssl 
+PATH=/opt/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin 
+simp_le --email {{ letsencrypt_mail }} -f account_key.json -f key.pem -f fullchain.pem --tos_sha256 {{ letsencrypt_tos_sha256 }} {% for domain in webserver_domains %} -d {{ domain }}.warpzone.ms:/var/www/html {% endfor %} && systemctl reload nginx
--- a/webserver/nginx/files/etherpad
+++ b/webserver/nginx/files/etherpad
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
 server {
 	listen 80;
 	listen [::]:80;
-	server_name    pad.warpzone.ms;
+        {% if sslcert.stat.exists == True %}
-	location /.well-known/ {
-                root /var/www/html/;
-        }
-	location / {
-	    	return         301 https://$server_name$request_uri;
-	}
-}
-server {
 	listen 443 ssl spdy;
    	listen [::]:443 ssl spdy;
 	ssl_certificate /etc/ssl/fullchain.pem;
 	ssl_certificate_key /etc/ssl/key.pem;
 	ssl_session_cache shared:SSL:5m;
@@ -23,22 +22,18 @@ server {
 	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 	ssl_ciphers "AES:!ADH:!AECDH:!MD5:!DSS";
 	ssl_prefer_server_ciphers on;    
-	server_name pad.warpzone.ms;
+        {% endif %}
+	server_name {{ item }}.warpzone.ms;
 	root /dev/null;
 	index index.html;
 	location /.well-known/ {
 		root /var/www/html/;
 	}
-	location /  {
-        	proxy_set_header        Host $host;
-        	proxy_set_header        X-Real-IP $remote_addr;
-	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-        	proxy_set_header        X-Forwarded-Proto $scheme;
-	        proxy_pass      http://127.0.0.1:42003/;
-        	proxy_redirect  off;
-    }
+        {% include "includes/" + item ignore missing %}
 }