From 52370b289e9c181f1021c68fb95b3342fbce8283 Mon Sep 17 00:00:00 2001
From: Christian Elberfeld <christian.elberfeld@adesso.de>
Date: Sun, 20 Jan 2019 19:45:47 +0100
Subject: [PATCH] umbau nginx auf certbot und deploy prod

---
 common/nginx/handlers/main.yml                |  6 ++
 .../nginx/includes/alerta.warpzone.ms         |  0
 .../nginx/includes/auth.warpzone.ms           |  0
 .../nginx/includes/gitlab.warpzone.ms         |  0
 .../nginx/includes/infra-test.warpzone.ms     |  0
 .../nginx/includes/infra.warpzone.ms          |  0
 .../nginx/includes/ldap.warpzone.ms           |  0
 .../nginx/includes/mattermost.warpzone.ms     |  0
 .../nginx/includes/md.warpzone.ms             |  0
 .../nginx/includes/pad.warpzone.ms            |  0
 .../nginx/includes/verwaltung-git.warpzone.ms | 12 +++
 common/nginx/includes/verwaltung.warpzone.ms  |  5 ++
 common/nginx/includes/warpzone.ms             |  4 +
 .../nginx/includes/wiki.warpzone.ms           |  0
 .../nginx/includes/www-test.warpzone.ms       |  0
 .../nginx/includes/www.warpzone.ms            |  0
 common/nginx/tasks/config_site.yml            | 23 +++++
 common/nginx/tasks/main.yml                   | 70 +++++++++++++++
 common/nginx/templates/letsencrypt.sh         |  5 ++
 common/nginx/templates/nginx-site             | 56 ++++++++++++
 common/nginx/templates/nginx-status           | 24 +++++
 common/nginx/templates/telegraf.conf          | 24 +++++
 group_vars/all                                |  3 +
 host_vars/vorstand                            | 12 +++
 host_vars/webserver                           | 38 ++++----
 host_vars/webserver-test                      | 13 ++-
 vorstand/main.yml                             |  3 +
 webserver-test/main.yml                       |  2 +-
 webserver/main.yml                            |  2 +-
 webserver/nginx/handlers/main.yml             |  3 -
 webserver/nginx/tasks/main.yml                | 89 -------------------
 webserver/nginx/templates/letsencrypt.sh      |  9 --
 webserver/nginx/templates/nginx-site          | 82 -----------------
 33 files changed, 270 insertions(+), 215 deletions(-)
 create mode 100644 common/nginx/handlers/main.yml
 rename webserver/nginx/includes/alerta => common/nginx/includes/alerta.warpzone.ms (100%)
 rename webserver/nginx/includes/auth => common/nginx/includes/auth.warpzone.ms (100%)
 rename webserver/nginx/includes/gitlab => common/nginx/includes/gitlab.warpzone.ms (100%)
 rename webserver/nginx/includes/infra-test => common/nginx/includes/infra-test.warpzone.ms (100%)
 rename webserver/nginx/includes/infra => common/nginx/includes/infra.warpzone.ms (100%)
 rename webserver/nginx/includes/ldap => common/nginx/includes/ldap.warpzone.ms (100%)
 rename webserver/nginx/includes/mattermost => common/nginx/includes/mattermost.warpzone.ms (100%)
 rename webserver/nginx/includes/md => common/nginx/includes/md.warpzone.ms (100%)
 rename webserver/nginx/includes/pad => common/nginx/includes/pad.warpzone.ms (100%)
 create mode 100644 common/nginx/includes/verwaltung-git.warpzone.ms
 create mode 100644 common/nginx/includes/verwaltung.warpzone.ms
 create mode 100644 common/nginx/includes/warpzone.ms
 rename webserver/nginx/includes/wiki => common/nginx/includes/wiki.warpzone.ms (100%)
 rename webserver/nginx/includes/www => common/nginx/includes/www-test.warpzone.ms (100%)
 rename webserver/nginx/includes/www-test => common/nginx/includes/www.warpzone.ms (100%)
 create mode 100644 common/nginx/tasks/config_site.yml
 create mode 100644 common/nginx/tasks/main.yml
 create mode 100644 common/nginx/templates/letsencrypt.sh
 create mode 100644 common/nginx/templates/nginx-site
 create mode 100644 common/nginx/templates/nginx-status
 create mode 100644 common/nginx/templates/telegraf.conf
 delete mode 100644 webserver/nginx/handlers/main.yml
 delete mode 100644 webserver/nginx/tasks/main.yml
 delete mode 100644 webserver/nginx/templates/letsencrypt.sh
 delete mode 100644 webserver/nginx/templates/nginx-site

diff --git a/common/nginx/handlers/main.yml b/common/nginx/handlers/main.yml
new file mode 100644
index 00000000..7217c0ff
--- /dev/null
+++ b/common/nginx/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart nginx
+  service: name=nginx state=restarted
+
+- name: restart telegraf
+  service: name=telegraf state=restarted
diff --git a/webserver/nginx/includes/alerta b/common/nginx/includes/alerta.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/alerta
rename to common/nginx/includes/alerta.warpzone.ms
diff --git a/webserver/nginx/includes/auth b/common/nginx/includes/auth.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/auth
rename to common/nginx/includes/auth.warpzone.ms
diff --git a/webserver/nginx/includes/gitlab b/common/nginx/includes/gitlab.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/gitlab
rename to common/nginx/includes/gitlab.warpzone.ms
diff --git a/webserver/nginx/includes/infra-test b/common/nginx/includes/infra-test.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/infra-test
rename to common/nginx/includes/infra-test.warpzone.ms
diff --git a/webserver/nginx/includes/infra b/common/nginx/includes/infra.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/infra
rename to common/nginx/includes/infra.warpzone.ms
diff --git a/webserver/nginx/includes/ldap b/common/nginx/includes/ldap.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/ldap
rename to common/nginx/includes/ldap.warpzone.ms
diff --git a/webserver/nginx/includes/mattermost b/common/nginx/includes/mattermost.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/mattermost
rename to common/nginx/includes/mattermost.warpzone.ms
diff --git a/webserver/nginx/includes/md b/common/nginx/includes/md.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/md
rename to common/nginx/includes/md.warpzone.ms
diff --git a/webserver/nginx/includes/pad b/common/nginx/includes/pad.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/pad
rename to common/nginx/includes/pad.warpzone.ms
diff --git a/common/nginx/includes/verwaltung-git.warpzone.ms b/common/nginx/includes/verwaltung-git.warpzone.ms
new file mode 100644
index 00000000..4206d1d4
--- /dev/null
+++ b/common/nginx/includes/verwaltung-git.warpzone.ms
@@ -0,0 +1,12 @@
+
+	location /  {
+
+        	proxy_set_header        Host $host;
+        	proxy_set_header        X-Real-IP $remote_addr;
+	        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        	proxy_set_header        X-Forwarded-Proto $scheme;
+
+	        proxy_pass      http://127.0.0.1:42001/;
+        	proxy_redirect  off;
+
+    }
diff --git a/common/nginx/includes/verwaltung.warpzone.ms b/common/nginx/includes/verwaltung.warpzone.ms
new file mode 100644
index 00000000..50abb8ca
--- /dev/null
+++ b/common/nginx/includes/verwaltung.warpzone.ms
@@ -0,0 +1,5 @@
+
+    location / {
+      rewrite     ^(.*)   https://verwaltung-git.warpzone.ms$1;
+    }
+
diff --git a/common/nginx/includes/warpzone.ms b/common/nginx/includes/warpzone.ms
new file mode 100644
index 00000000..4a318e05
--- /dev/null
+++ b/common/nginx/includes/warpzone.ms
@@ -0,0 +1,4 @@
+
+    location / {
+      rewrite     ^(.*)   https://www.warpzone.ms$1;
+    }
diff --git a/webserver/nginx/includes/wiki b/common/nginx/includes/wiki.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/wiki
rename to common/nginx/includes/wiki.warpzone.ms
diff --git a/webserver/nginx/includes/www b/common/nginx/includes/www-test.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/www
rename to common/nginx/includes/www-test.warpzone.ms
diff --git a/webserver/nginx/includes/www-test b/common/nginx/includes/www.warpzone.ms
similarity index 100%
rename from webserver/nginx/includes/www-test
rename to common/nginx/includes/www.warpzone.ms
diff --git a/common/nginx/tasks/config_site.yml b/common/nginx/tasks/config_site.yml
new file mode 100644
index 00000000..a867aac3
--- /dev/null
+++ b/common/nginx/tasks/config_site.yml
@@ -0,0 +1,23 @@
+
+# Konfiguration einer nginx-site 
+# {{ item }} enthält den vollständigen Domänennamen 
+# Falls erforderlich wird das Zertifikat über Letsencrypt geholt 
+
+- name: Check if cert already exists for {{ item }} 
+  stat:
+    path: /etc/letsencrypt/live/{{ item }}/privkey.pem
+  register: cert
+
+- name: Stop nginx
+  service: name=nginx state=stopped
+  notify: restart nginx
+  when: cert.stat.exists == False 
+
+- name: Get Certificate for {{ item }} via Certbot
+  command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/  -d {{ item }}"
+  when: cert.stat.exists == False 
+
+- name: Create nginx config for {{ item }}
+  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}
+  notify: restart nginx
+
diff --git a/common/nginx/tasks/main.yml b/common/nginx/tasks/main.yml
new file mode 100644
index 00000000..18b83ae9
--- /dev/null
+++ b/common/nginx/tasks/main.yml
@@ -0,0 +1,70 @@
+# Pakete installieren
+- name: nginx installieren
+  apt:
+    name: "{{ packages }}"
+    update_cache: yes
+    state: present
+  vars:
+    packages:
+    - nginx-light
+    - libnginx-mod-http-lua
+    - ca-certificates 
+    - openssl
+    - certbot
+    - git
+
+
+# DH Parameter geneieriern 
+
+- name: check if DH Params exists 
+  stat:
+    path: /etc/nginx/dhparams.pem
+  register: dhparams
+
+- name: generate new DH Params 
+  command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+  when: dhparams.stat.exists == False 
+
+
+# NginX einrichten 
+
+- name: nginx default Konfig entfernen 
+  file: 
+    path: /etc/nginx/sites-enabled/default 
+    state: absent
+
+
+# LetsEncrypt Script erstellen 
+
+- name: LetsEncrypt Script erstellen 
+  template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
+  notify: restart nginx
+
+- name: Cronjob für Zertifikatserneuerung
+  cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh"
+
+
+# nginx konfigurieren 
+
+- include: config_site.yml
+  with_items:
+    - "{{ webserver_domains }}"
+ 
+
+- name: Konfig-Datei status erstellen
+  template: src=nginx-status dest=/etc/nginx/sites-enabled/status
+  notify: restart nginx
+
+
+# telegraf konfigurieren 
+
+- name: Konfig-Datei status erstellen
+  template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf
+  notify: restart telegraf 
+  
+- name: adding existing user 'telegraf' to group adm
+  user:
+    name: telegraf
+    groups: adm
+    append: yes
+
diff --git a/common/nginx/templates/letsencrypt.sh b/common/nginx/templates/letsencrypt.sh
new file mode 100644
index 00000000..8e5efbfc
--- /dev/null
+++ b/common/nginx/templates/letsencrypt.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+{% for domain in webserver_domains %}
+certbot certonly --non-interactive --agree-tos --webroot -m {{ letsencrypt_mail }} -w /var/www/html/  -d {{ domain }}.void.ms
+{% endfor %}
diff --git a/common/nginx/templates/nginx-site b/common/nginx/templates/nginx-site
new file mode 100644
index 00000000..34c155ec
--- /dev/null
+++ b/common/nginx/templates/nginx-site
@@ -0,0 +1,56 @@
+
+
+map $http_upgrade $connection_upgrade {
+        default upgrade;
+        ''      close;
+}
+
+server {
+
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ item }};
+	root /dev/null;
+	index index.html;
+
+	location /.well-known/acme-challenge/ {
+		root /var/www/html/;
+	}
+
+        location / {
+        	rewrite     ^(.*)   https://{{ item }}$1 permanent;
+  	}
+
+}
+
+server {
+
+	listen 443 ssl http2;
+ 	listen [::]:443 ssl http2;
+
+	ssl_certificate /etc/letsencrypt/live/{{ item }}/fullchain.pem;
+	ssl_certificate_key /etc/letsencrypt/live/{{ item }}/privkey.pem;
+	ssl_dhparam /etc/nginx/dhparams.pem;
+
+	ssl_session_cache shared:SSL:5m;
+	ssl_session_timeout 5m;
+	
+	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+	ssl_protocols TLSv1.2;
+	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;	
+	ssl_prefer_server_ciphers on;    
+
+	server_name {{ item }};
+	root /dev/null;
+	index index.html;
+
+	location /.well-known/acme-challenge/ {
+		root /var/www/html/;
+	}
+
+  	{% include "includes/" + item ignore missing %}
+	
+}
+
+
diff --git a/common/nginx/templates/nginx-status b/common/nginx/templates/nginx-status
new file mode 100644
index 00000000..7bc3c674
--- /dev/null
+++ b/common/nginx/templates/nginx-status
@@ -0,0 +1,24 @@
+
+
+server {
+
+  listen 9145;
+
+  location /status {
+
+        # Turn on nginx stats
+        stub_status on;
+
+        # I do not need logs for stats
+        access_log   off;
+
+        # Security: Only allow access from 
+        allow 127.0.0.1;
+   
+        # Send rest of the world to /dev/null #
+        deny all;
+        
+  }
+  
+}
+
diff --git a/common/nginx/templates/telegraf.conf b/common/nginx/templates/telegraf.conf
new file mode 100644
index 00000000..34894dd3
--- /dev/null
+++ b/common/nginx/templates/telegraf.conf
@@ -0,0 +1,24 @@
+
+# Read Nginx's basic status information (ngx_http_stub_status_module)
+[[inputs.nginx]]
+  ## An array of Nginx stub_status URI to gather stats.
+  urls = ["http://127.0.0.1:9145/status"]
+
+  ## Optional TLS Config
+  # tls_ca = "/etc/telegraf/ca.pem"
+  # tls_cert = "/etc/telegraf/cert.pem"
+  # tls_key = "/etc/telegraf/key.pem"
+  ## Use TLS but skip chain & host verification
+  # insecure_skip_verify = false
+
+  ## HTTP response timeout (default: 5s)
+  response_timeout = "5s"
+
+
+#[[inputs.logparser]]
+#  files = ["/var/log/nginx/access.log"]
+#  from_beginning = true
+#  name_override = "nginx_access_log"
+#  [inputs.logparser.grok]
+#    patterns = ["%{COMBINED_LOG_FORMAT}"]
+
diff --git a/group_vars/all b/group_vars/all
index fdd88092..0657e77d 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -1,5 +1,8 @@
 # Globale Variablen für alle Server
 
+# Letsencrypt notification mail 
+letsencrypt_mail: verwaltung@warpzone.ms
+
 # IP Adresse des LDAP Servers
 # Extern läuft auf dem webserver
 ldap_ip_ext: 10.0.20.2
diff --git a/host_vars/vorstand b/host_vars/vorstand
index 0d54f071..bd03105b 100644
--- a/host_vars/vorstand
+++ b/host_vars/vorstand
@@ -9,12 +9,24 @@ debian_sources:
   - "deb http://repo.myloc.de/debian stretch main non-free contrib"
   - "deb https://download.docker.com/linux/debian stretch stable"
   - "deb http://packages.x2go.org/debian stretch main"
+  - "deb https://repos.influxdata.com/debian stretch stable"
+
 
 debian_keys_id:
   - "E1F958385BFE2B6E" # x2go repo key
   
 debian_keys_url:
   - "https://download.docker.com/linux/debian/gpg"
+  - "https://repos.influxdata.com/influxdb.key"
+
+
+# Art des Hosts: physical, vm, docker 
+host_type: "vm"
+
+
+webserver_domains: 
+  - "verwaltung.warpzone.ms"
+  - "verwaltung-git.warpzone.ms"
 
 
 administratorenteam:
diff --git a/host_vars/webserver b/host_vars/webserver
index 7ec39357..da8dec92 100644
--- a/host_vars/webserver
+++ b/host_vars/webserver
@@ -24,29 +24,23 @@ debian_keys_url:
 host_type: "vm"
 
 
-letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
-
-letsencrypt_mail: verwaltung@warpzone.ms
-
 webserver_domains: 
-  - "auth"
-  - "alerta"
-  - "gitlab"
-  - "infra"
-  - "infra-test"
-  - "jabber"
-  - "muc.jabber"
-  - "proxy.jabber"
-  - "jabber-test"
-  - "muc.jabber-test"
-  - "proxy.jabber-test"
-  - "ldap"
-  - "mattermost"
-  - "md"
-  - "pad"
-  - "wiki"
-  - "www"
-  - "www-test"
+  - "auth.warpzone.ms"
+  - "alerta.warpzone.ms"
+  - "gitlab.warpzone.ms"
+  - "infra.warpzone.ms"
+  - "jabber.warpzone.ms"
+  - "muc.jabber.warpzone.ms"
+  - "proxy.jabber.warpzone.ms"
+  - "jabber-test.warpzone.ms"
+  - "muc.jabber-test.warpzone.ms"
+  - "proxy.jabber-test.warpzone.ms"
+  - "ldap.warpzone.ms"
+  - "mattermost.warpzone.ms"
+  - "md.warpzone.ms"
+  - "pad.warpzone.ms"
+  - "wiki.warpzone.ms"
+  - "www.warpzone.ms"
 
 administratorenteam:
   - "void"
diff --git a/host_vars/webserver-test b/host_vars/webserver-test
index b14b9789..348cdf10 100644
--- a/host_vars/webserver-test
+++ b/host_vars/webserver-test
@@ -22,16 +22,13 @@ debian_keys:
 host_type: "vm"
 
 
-letsencrypt_tos_sha256: 6373439b9f29d67a5cd4d18cbc7f264809342dbf21cb2ba2fc7588df987a6221
-
-letsencrypt_mail: verwaltung@warpzone.ms
 
 webserver_domains: 
-  - "infra-test"
-  - "jabber-test"
-  - "muc.jabber-test"
-  - "proxy.jabber-test"
-  - "www-test"
+  - "infra-test.warpzone.ms"
+  - "jabber-test.warpzone.ms"
+  - "muc.jabber-test.warpzone.ms"
+  - "proxy.jabber-test.warpzone.ms"
+  - "www-test.warpzone.ms"
 
 administratorenteam:
   - "void"
diff --git a/vorstand/main.yml b/vorstand/main.yml
index e8fa988c..3f13121d 100644
--- a/vorstand/main.yml
+++ b/vorstand/main.yml
@@ -3,7 +3,10 @@
 - hosts: vorstand
   remote_user: root
   roles:
+    - { role: ../common/telegraf, tags: telegraf }
     - { role: ../common/docker, tags: docker }
+    - { role: ../common/nginx, tags: nginx }
+    - { role: docker_gitea, tags: gitea }
     - { role: docker_mysql, tags: mysql }
     - { role: user, tags: user }
     - { role: jameica, tags: jameica }
diff --git a/webserver-test/main.yml b/webserver-test/main.yml
index e06af653..c4578601 100644
--- a/webserver-test/main.yml
+++ b/webserver-test/main.yml
@@ -4,7 +4,7 @@
   remote_user: root
   roles:
     - { role: ../common/docker, tags: docker }
-    - { role: ../webserver/nginx, tags: nginx }
+    - { role: ../common/nginx, tags: nginx }
     - { role: ../webserver/docker_jabber, tags: jabber }
     - { role: ../webserver/docker_ldap, tags: ldap }
     - { role: ../webserver/docker_warpinfra, tags: warpinfra }
diff --git a/webserver/main.yml b/webserver/main.yml
index 7e5861b5..e7be0116 100644
--- a/webserver/main.yml
+++ b/webserver/main.yml
@@ -6,7 +6,7 @@
     - { role: ../common/borgbackup, tags: borgbackup }
     - { role: ../common/docker, tags: docker }
     - { role: ../common/telegraf, tags: telegraf }
-    - { role: nginx, tags: nginx }
+    - { role: ../common/nginx, tags: nginx }
     - { role: openvpn, tags: openvpn }
     - { role: docker_alerta, tags: alerta }
     - { role: docker_dokuwiki, tags: dokuwiki }
diff --git a/webserver/nginx/handlers/main.yml b/webserver/nginx/handlers/main.yml
deleted file mode 100644
index 92971d2c..00000000
--- a/webserver/nginx/handlers/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-- name: restart nginx
-  service: name=nginx state=restarted
diff --git a/webserver/nginx/tasks/main.yml b/webserver/nginx/tasks/main.yml
deleted file mode 100644
index 2e9f0588..00000000
--- a/webserver/nginx/tasks/main.yml
+++ /dev/null
@@ -1,89 +0,0 @@
-# Pakete installieren
-- name: nginx installieren
-  apt:
-    name: "{{ packages }}"
-    update_cache: yes
-    state: present
-  vars:
-    packages:
-      - nginx
-      - git
-      - ca-certificates 
-      - gcc
-      - libssl-dev 
-      - libffi-dev
-      - python
-      - python-dev
-      - virtualenv
-
-- name: nginx default Konfig entfernen 
-  file: 
-    path: /etc/nginx/sites-enabled/default 
-    state: absent
-
-# DH Parameter geneieriern 
-
-- name: check if DH Params exists 
-  stat:
-    path: /etc/nginx/dhparams.pem
-  register: dhparams
-
-- name: generate new DH Params 
-  command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
-  when: dhparams.stat.exists == False 
-
-# sinp_le installieren 
-
-- name: create folder simp_le 
-  file: 
-    path: "/opt/simp_le/" 
-    state: "directory"
-
-- name: clone simp_le repo
-  git: 
-    repo: "https://github.com/zenhack/simp_le.git" 
-    version: "60ee2111609022e6550dbe137c2a6064890a5ca0"
-    dest: "/opt/simp_le/" 
-
-
-# LetsEncrypt Script erstellen 
-
-- name: LetsEncrypt Script erstellen 
-  template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
-  register: letsencryptsh
-
-- name: Cronjob für Zertifikatserneuerung
-  cron: name="letsencrypt" weekday="2" hour="20" minute="0" job="/opt/letsencrypt.sh"
-
-
-# nginx konfigurieren (initial, falls noch kein Zertifikat existiert)
-
-- name: check if fullchain.pem exists
-  stat: path=/etc/ssl/fullchain.pem
-  register: sslcert
-
-- name: Konfig-Datei default erstellen (initial)
-  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms
-  with_items: webserver_domains
-  notify: restart nginx
-  when: sslcert.stat.exists == False
-
-- name: nginx restarten (initial)
-  meta: flush_handlers
-  when: sslcert.stat.exists == False
-
-- name: Letsencrypt-Zertifikat beantragen und installieren 
-  shell: "/opt/letsencrypt.sh" 
-  when: sslcert.stat.exists == False or letsencryptsh.changed
-
-
-# nginx konfigurieren
-
-- name: Konfig-Datei default erstellen
-  template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms
-  with_items: 
-    - "{{webserver_domains}}"
-  notify: restart nginx
-
-
-
diff --git a/webserver/nginx/templates/letsencrypt.sh b/webserver/nginx/templates/letsencrypt.sh
deleted file mode 100644
index 2f09b631..00000000
--- a/webserver/nginx/templates/letsencrypt.sh
+++ /dev/null
@@ -1,9 +0,0 @@
-#!/bin/bash
-
-cd /opt/simp_le/
-if [ ! -e venv/bin/python ]; then ./venv.sh; fi
-
-cd /etc/ssl
-PATH=/opt/simp_le/venv/bin:/usr/sbin:/usr/bin:/sbin:/bin
-
-simp_le --email {{ letsencrypt_mail }} -f account_key.json -f key.pem -f fullchain.pem --tos_sha256 {{ letsencrypt_tos_sha256 }} {% for domain in webserver_domains %} -d {{ domain }}.warpzone.ms:/var/www/html {% endfor %} && systemctl reload nginx && /usr/local/bin/docker-compose -f /srv/jabber_test/docker-compose.yml restart && /usr/local/bin/docker-compose -f /srv/jabber/docker-compose.yml
diff --git a/webserver/nginx/templates/nginx-site b/webserver/nginx/templates/nginx-site
deleted file mode 100644
index 5dfc1f10..00000000
--- a/webserver/nginx/templates/nginx-site
+++ /dev/null
@@ -1,82 +0,0 @@
-
-map $http_upgrade $connection_upgrade {
-        default upgrade;
-        ''      close;
-}
-
-server {
-
-	listen 80;
-	listen [::]:80;
-
-	server_name {{ item }}.warpzone.ms;
-	root /dev/null;
-	index index.html;
-
-
-        access_log /dev/null;
-        error_log /dev/null;
-
-        access_log off;
-        error_log off;
-
-
-	location /.well-known/ {
-		root /var/www/html/;
-	}
-
-        {% if sslcert.stat.exists == True %}
-
-        location / {
-               return 301 https://$server_name$request_uri;
-	}
-
-	{% endif %}
-
-}
-
-{% if sslcert.stat.exists == True %}
-
-server {
-
-	listen 443 ssl http2;
-    	listen [::]:443 ssl http2;
-
-	ssl_certificate /etc/ssl/fullchain.pem;
-	ssl_certificate_key /etc/ssl/key.pem;
-	ssl_dhparam /etc/nginx/dhparams.pem;
-
-	ssl_session_tickets off; 
-	ssl_stapling on; 
-	ssl_stapling_verify on; 
-
-	ssl_session_cache shared:SSL:5m;
-	ssl_session_timeout 5m;
-	add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
-
-	# ab nginx > 1.13 ist TLS1.3 möglich 
-	ssl_protocols TLSv1.2;
-	ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;	ssl_prefer_server_ciphers on;    
-
-
-	server_name {{ item }}.warpzone.ms;
-	root /dev/null;
-	index index.html;
-
-
-        access_log /dev/null;
-        error_log /dev/null;
-
-        access_log off;
-        error_log off;
-
-
-	location /.well-known/ {
-		root /var/www/html/;
-	}
-
-        {% include "includes/" + item ignore missing %}
-
-}
-
-{% endif %}
-- 
GitLab