Skip to content
Snippets Groups Projects
Commit 52370b28 authored by Christian Elberfeld's avatar Christian Elberfeld
Browse files

umbau nginx auf certbot und deploy prod

parent a694ed05
No related branches found
No related tags found
No related merge requests found
Showing
with 181 additions and 0 deletions
--- ---
- name: restart nginx - name: restart nginx
service: name=nginx state=restarted service: name=nginx state=restarted
- name: restart telegraf
service: name=telegraf state=restarted
File moved
location / {
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:42001/;
proxy_redirect off;
}
location / {
rewrite ^(.*) https://verwaltung-git.warpzone.ms$1;
}
location / {
rewrite ^(.*) https://www.warpzone.ms$1;
}
# Konfiguration einer nginx-site
# {{ item }} enthält den vollständigen Domänennamen
# Falls erforderlich wird das Zertifikat über Letsencrypt geholt
- name: Check if cert already exists for {{ item }}
stat:
path: /etc/letsencrypt/live/{{ item }}/privkey.pem
register: cert
- name: Stop nginx
service: name=nginx state=stopped
notify: restart nginx
when: cert.stat.exists == False
- name: Get Certificate for {{ item }} via Certbot
command: "certbot certonly --non-interactive --agree-tos --standalone -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ item }}"
when: cert.stat.exists == False
- name: Create nginx config for {{ item }}
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}
notify: restart nginx
...@@ -6,20 +6,13 @@ ...@@ -6,20 +6,13 @@
state: present state: present
vars: vars:
packages: packages:
- nginx - nginx-light
- git - libnginx-mod-http-lua
- ca-certificates - ca-certificates
- gcc - openssl
- libssl-dev - certbot
- libffi-dev - git
- python
- python-dev
- virtualenv
- name: nginx default Konfig entfernen
file:
path: /etc/nginx/sites-enabled/default
state: absent
# DH Parameter geneieriern # DH Parameter geneieriern
...@@ -32,58 +25,46 @@ ...@@ -32,58 +25,46 @@
command: openssl dhparam -out /etc/nginx/dhparams.pem 2048 command: openssl dhparam -out /etc/nginx/dhparams.pem 2048
when: dhparams.stat.exists == False when: dhparams.stat.exists == False
# sinp_le installieren
- name: create folder simp_le # NginX einrichten
file:
path: "/opt/simp_le/"
state: "directory"
- name: clone simp_le repo - name: nginx default Konfig entfernen
git: file:
repo: "https://github.com/zenhack/simp_le.git" path: /etc/nginx/sites-enabled/default
version: "60ee2111609022e6550dbe137c2a6064890a5ca0" state: absent
dest: "/opt/simp_le/"
# LetsEncrypt Script erstellen # LetsEncrypt Script erstellen
- name: LetsEncrypt Script erstellen - name: LetsEncrypt Script erstellen
template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x template: src=letsencrypt.sh dest=/opt/letsencrypt.sh mode=o+x
register: letsencryptsh notify: restart nginx
- name: Cronjob für Zertifikatserneuerung - name: Cronjob für Zertifikatserneuerung
cron: name="letsencrypt" weekday="2" hour="20" minute="0" job="/opt/letsencrypt.sh" cron: name="letsencrypt" weekday="*" hour="6" minute="0" job="/opt/letsencrypt.sh"
# nginx konfigurieren (initial, falls noch kein Zertifikat existiert) # nginx konfigurieren
- name: check if fullchain.pem exists - include: config_site.yml
stat: path=/etc/ssl/fullchain.pem with_items:
register: sslcert - "{{ webserver_domains }}"
- name: Konfig-Datei default erstellen (initial) - name: Konfig-Datei status erstellen
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms template: src=nginx-status dest=/etc/nginx/sites-enabled/status
with_items: webserver_domains
notify: restart nginx notify: restart nginx
when: sslcert.stat.exists == False
- name: nginx restarten (initial)
meta: flush_handlers
when: sslcert.stat.exists == False
- name: Letsencrypt-Zertifikat beantragen und installieren
shell: "/opt/letsencrypt.sh"
when: sslcert.stat.exists == False or letsencryptsh.changed
# nginx konfigurieren # telegraf konfigurieren
- name: Konfig-Datei default erstellen
template: src=nginx-site dest=/etc/nginx/sites-enabled/{{ item }}.wapzone.ms
with_items:
- "{{webserver_domains}}"
notify: restart nginx
- name: Konfig-Datei status erstellen
template: src=telegraf.conf dest=/etc/telegraf/telegraf.d/nginx.conf
notify: restart telegraf
- name: adding existing user 'telegraf' to group adm
user:
name: telegraf
groups: adm
append: yes
#!/bin/bash
{% for domain in webserver_domains %}
certbot certonly --non-interactive --agree-tos --webroot -m {{ letsencrypt_mail }} -w /var/www/html/ -d {{ domain }}.void.ms
{% endfor %}
map $http_upgrade $connection_upgrade { map $http_upgrade $connection_upgrade {
default upgrade; default upgrade;
'' close; '' close;
...@@ -9,74 +10,47 @@ server { ...@@ -9,74 +10,47 @@ server {
listen 80; listen 80;
listen [::]:80; listen [::]:80;
server_name {{ item }}.warpzone.ms; server_name {{ item }};
root /dev/null; root /dev/null;
index index.html; index index.html;
location /.well-known/acme-challenge/ {
access_log /dev/null;
error_log /dev/null;
access_log off;
error_log off;
location /.well-known/ {
root /var/www/html/; root /var/www/html/;
} }
{% if sslcert.stat.exists == True %}
location / { location / {
return 301 https://$server_name$request_uri; rewrite ^(.*) https://{{ item }}$1 permanent;
} }
{% endif %}
} }
{% if sslcert.stat.exists == True %}
server { server {
listen 443 ssl http2; listen 443 ssl http2;
listen [::]:443 ssl http2; listen [::]:443 ssl http2;
ssl_certificate /etc/ssl/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ item }}/fullchain.pem;
ssl_certificate_key /etc/ssl/key.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item }}/privkey.pem;
ssl_dhparam /etc/nginx/dhparams.pem; ssl_dhparam /etc/nginx/dhparams.pem;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
ssl_session_cache shared:SSL:5m; ssl_session_cache shared:SSL:5m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload;";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
# ab nginx > 1.13 ist TLS1.3 möglich
ssl_protocols TLSv1.2; ssl_protocols TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384; ssl_prefer_server_ciphers on; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_prefer_server_ciphers on;
server_name {{ item }}.warpzone.ms; server_name {{ item }};
root /dev/null; root /dev/null;
index index.html; index index.html;
location /.well-known/acme-challenge/ {
access_log /dev/null;
error_log /dev/null;
access_log off;
error_log off;
location /.well-known/ {
root /var/www/html/; root /var/www/html/;
} }
{% include "includes/" + item ignore missing %} {% include "includes/" + item ignore missing %}
} }
{% endif %}
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment