ssl, nginx: flexibility and modularity improvements
This commit is contained in:
parent
495216318c
commit
11b11194cb
@ -9,9 +9,6 @@
|
|||||||
|
|
||||||
### Misc settings
|
### Misc settings
|
||||||
|
|
||||||
# Email address for Let's Encrypt and DNS
|
|
||||||
email: dogeystamp@disroot.org
|
|
||||||
|
|
||||||
# Could be sudo instead
|
# Could be sudo instead
|
||||||
escalation_method: doas
|
escalation_method: doas
|
||||||
|
|
||||||
@ -64,7 +61,12 @@ util_pack:
|
|||||||
|
|
||||||
### Network settings (nameserver, address, etc.)
|
### Network settings (nameserver, address, etc.)
|
||||||
|
|
||||||
domain: d.nerdpol.ovh
|
# Domain to send dynamic DNS updates to
|
||||||
|
dyndns_domain: d.nerdpol.ovh
|
||||||
|
|
||||||
|
# Domain actually used for the site (this will be set up to forward to dyndns_domain)
|
||||||
|
# Set this to the same as dyndns_domain if your registrar supports dynamic DNS natively
|
||||||
|
domain: dogeystamp.com
|
||||||
|
|
||||||
# Forward DNS queries to
|
# Forward DNS queries to
|
||||||
dns_forward: 1.1.1.1
|
dns_forward: 1.1.1.1
|
||||||
@ -86,23 +88,94 @@ gateway: 192.168.0.1
|
|||||||
# Connection interface for static IP
|
# Connection interface for static IP
|
||||||
interface: eth0
|
interface: eth0
|
||||||
|
|
||||||
# Email to send renewal notices to
|
|
||||||
acme_email: "{{ email }}"
|
|
||||||
|
|
||||||
# ACME directory to use
|
# Settings for templates in templates/srv_conf/ and service configs
|
||||||
# acme_dir: "https://acme-v02.api.letsencrypt.org/directory"
|
nginx_services:
|
||||||
acme_dir: "https://acme.zerossl.com/v2/DV90"
|
wiki:
|
||||||
|
path: "/"
|
||||||
|
navidrome:
|
||||||
|
path: "/"
|
||||||
|
gitea:
|
||||||
|
path: "/"
|
||||||
|
synapse:
|
||||||
|
# Synapse does not support a prefix path.
|
||||||
|
max_body_size: 50M
|
||||||
|
website:
|
||||||
|
path: "/"
|
||||||
|
|
||||||
# Algorithm for ACME External Account Binding
|
|
||||||
acme_eab_alg: HS256
|
|
||||||
|
|
||||||
|
# List of nginx server blocks
|
||||||
|
|
||||||
|
# domain is the domain this server block listens to
|
||||||
|
# ssl_cert is the name of the SSL certificate and key (see roles/networking/ssl)
|
||||||
|
# listens sets the ports the block will listen to
|
||||||
|
# services is a list of services (templates/srv_conf/) to place in this domain
|
||||||
|
|
||||||
|
# Ensure no two services have the same location (domain and path)
|
||||||
|
|
||||||
|
default_listens:
|
||||||
|
- "443 ssl http2"
|
||||||
|
- "[::]:443 ssl http2"
|
||||||
|
|
||||||
|
server_blocks:
|
||||||
|
wiki:
|
||||||
|
domain: "wiki.{{ domain }}"
|
||||||
|
ssl_cert: "{{ domain }}"
|
||||||
|
listens: "{{ default_listens }}"
|
||||||
|
services:
|
||||||
|
- wiki
|
||||||
|
|
||||||
|
navidrome:
|
||||||
|
domain: "mus.{{ domain }}"
|
||||||
|
ssl_cert: "{{ domain }}"
|
||||||
|
listens: "{{ default_listens }}"
|
||||||
|
services:
|
||||||
|
- navidrome
|
||||||
|
|
||||||
|
gitea:
|
||||||
|
domain: "git.{{ domain }}"
|
||||||
|
ssl_cert: "{{ domain }}"
|
||||||
|
listens: "{{ default_listens }}"
|
||||||
|
services:
|
||||||
|
- gitea
|
||||||
|
|
||||||
|
synapse:
|
||||||
|
domain: "m.{{ domain }}"
|
||||||
|
ssl_cert: "{{ domain }}"
|
||||||
|
listens:
|
||||||
|
- "443 ssl http2"
|
||||||
|
- "[::]:443 ssl http2"
|
||||||
|
- "8448 ssl http2 default_server"
|
||||||
|
- "[::]:8448 ssl http2 default_server"
|
||||||
|
services:
|
||||||
|
- synapse
|
||||||
|
|
||||||
|
website:
|
||||||
|
domain: "www.{{ domain }}"
|
||||||
|
ssl_cert: "{{ domain }}"
|
||||||
|
listens: "{{ default_listens }}"
|
||||||
|
services:
|
||||||
|
- website
|
||||||
|
|
||||||
|
redirect:
|
||||||
|
domain: "{{ dyndns_domain }}"
|
||||||
|
ssl_cert: "{{ dyndns_domain }}"
|
||||||
|
listens: "{{ default_listens }}"
|
||||||
|
services:
|
||||||
|
- redirect
|
||||||
|
|
||||||
|
# Settings for other services not handled by nginx
|
||||||
|
service_info:
|
||||||
|
coturn:
|
||||||
|
domain: "stun.{{ domain }}"
|
||||||
|
ssl_cert: "stun.{{ domain }}"
|
||||||
|
|
||||||
|
|
||||||
### Mediawiki farm variables
|
### Mediawiki farm variables
|
||||||
|
|
||||||
# Internal names for the wikis, used for filenames and URLs
|
# Internal names for the wikis, used for filenames and URLs
|
||||||
wiki_names:
|
wiki_names:
|
||||||
- wiki
|
- bepp
|
||||||
- rw
|
- rw
|
||||||
|
|
||||||
|
|
||||||
@ -131,8 +204,15 @@ form_secret: "secret"
|
|||||||
coturn_secret_key: "secret"
|
coturn_secret_key: "secret"
|
||||||
|
|
||||||
# SSL ACME External Account Binding secrets (optional: required for some CAs)
|
# SSL ACME External Account Binding secrets (optional: required for some CAs)
|
||||||
acme_eab_kid: "secret"
|
|
||||||
acme_eab_key: "secret"
|
# ZeroSSL
|
||||||
|
zerossl_acme_eab_kid: "secret"
|
||||||
|
zerossl_acme_eab_key: "secret"
|
||||||
|
# If you have a different email for ZeroSSL
|
||||||
|
zerossl_email: "you@example.com"
|
||||||
|
|
||||||
|
# Email address for ACME and DNS
|
||||||
|
email: me@example.com
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
@ -7,6 +7,6 @@ protocol=dyndns2
|
|||||||
use=web, web=https://ip.me
|
use=web, web=https://ip.me
|
||||||
ssl=yes # yes = use https for updates
|
ssl=yes # yes = use https for updates
|
||||||
server=ipv4.nsupdate.info
|
server=ipv4.nsupdate.info
|
||||||
login={{ domain }}
|
login={{ dyndns_domain }}
|
||||||
password='{{ ddclient_pass }}'
|
password='{{ ddclient_pass }}'
|
||||||
{{ domain }}
|
{{ dyndns_domain }}
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
$TTL 604800
|
$TTL 604800
|
||||||
@ IN SOA {{ domain }}. {{ email }}. (
|
@ IN SOA {{ dyndns_domain }}. {{ email }}. (
|
||||||
3 ; Serial
|
3 ; Serial
|
||||||
604800 ; Refresh
|
604800 ; Refresh
|
||||||
86400 ; Retry
|
86400 ; Retry
|
||||||
@ -10,4 +10,4 @@ ns IN A {{ local_ip }}
|
|||||||
@ IN NS localhost.
|
@ IN NS localhost.
|
||||||
@ IN A {{ local_ip }}
|
@ IN A {{ local_ip }}
|
||||||
@ IN AAAA ::1
|
@ IN AAAA ::1
|
||||||
{{ domain }} IN A {{ local_ip }}
|
{{ dyndns_domain }} IN A {{ local_ip }}
|
||||||
|
@ -27,9 +27,9 @@ zone "0.0.127.in-addr.arpa" IN {
|
|||||||
file "127.0.0.zone";
|
file "127.0.0.zone";
|
||||||
};
|
};
|
||||||
|
|
||||||
zone "{{ domain }}" {
|
zone "{{ dyndns_domain }}" {
|
||||||
type master;
|
type master;
|
||||||
file "/var/named/{{ domain }}";
|
file "/var/named/{{ dyndns_domain }}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
30
roles/networking/ssl/defaults/main.yml
Normal file
30
roles/networking/ssl/defaults/main.yml
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
# List of domains to get an SSL cert for
|
||||||
|
# There will be a *single* certificate covering all of these
|
||||||
|
# Ensure that your CA supports multi-domain certs
|
||||||
|
ssl_domains:
|
||||||
|
- "site.dogeystamp.com"
|
||||||
|
- "d.nerdpol.ovh"
|
||||||
|
- "{{ wiki_domain }}"
|
||||||
|
|
||||||
|
# File name for the certificate
|
||||||
|
cert_name: "{{ ssl_domains[0] }}"
|
||||||
|
|
||||||
|
# File name for the private key
|
||||||
|
key_name: "{{ cert_name }}"
|
||||||
|
|
||||||
|
# Account name for the account key
|
||||||
|
account_name: "account"
|
||||||
|
|
||||||
|
# Email to send renewal notices to
|
||||||
|
acme_email: "{{ email }}"
|
||||||
|
|
||||||
|
# ACME directory to use
|
||||||
|
# (Staging directoy by default.)
|
||||||
|
acme_dir: "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||||
|
|
||||||
|
# SSL ACME External Account Binding settings (optional: required for some CAs)
|
||||||
|
acme_eab: {
|
||||||
|
alg: HS256,
|
||||||
|
key: "",
|
||||||
|
kid: "",
|
||||||
|
}
|
@ -12,19 +12,13 @@
|
|||||||
name: sslr
|
name: sslr
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Add turnserver to SSL read group
|
|
||||||
user:
|
|
||||||
name: "turnserver"
|
|
||||||
append: yes
|
|
||||||
groups: sslr
|
|
||||||
|
|
||||||
- name: Create directories for ACME
|
- name: Create directories for ACME
|
||||||
file:
|
file:
|
||||||
path: "/etc/ssl-acme/{{ item }}"
|
path: "/etc/ssl-acme/{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0711
|
mode: 0755
|
||||||
with_items:
|
with_items:
|
||||||
- account
|
- account
|
||||||
- certs
|
- certs
|
||||||
@ -33,52 +27,52 @@
|
|||||||
|
|
||||||
- name: Generate ACME account key
|
- name: Generate ACME account key
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
path: "/etc/ssl-acme/account/account.key"
|
path: "/etc/ssl-acme/account/{{ account_name }}.key"
|
||||||
owner: root
|
owner: root
|
||||||
group: sslr
|
group: sslr
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
||||||
- name: Generate ACME private key
|
- name: Generate ACME private key
|
||||||
community.crypto.openssl_privatekey:
|
community.crypto.openssl_privatekey:
|
||||||
path: "/etc/ssl-acme/keys/{{ domain }}.key"
|
path: "/etc/ssl-acme/keys/{{ key_name }}.key"
|
||||||
owner: root
|
owner: root
|
||||||
group: sslr
|
group: sslr
|
||||||
mode: 0640
|
mode: 0640
|
||||||
|
|
||||||
- name: Check if certificate exists
|
- name: Check if certificate file exists
|
||||||
stat:
|
stat:
|
||||||
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
path: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
|
||||||
register: cert_file
|
register: cert_file
|
||||||
|
|
||||||
- name: Check if certificate is expired
|
- name: Check if certificate is expired
|
||||||
community.crypto.x509_certificate_info:
|
community.crypto.x509_certificate_info:
|
||||||
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
path: "{{ cert_file.stat.path }}"
|
||||||
valid_at:
|
valid_at:
|
||||||
now: "+3w"
|
now: "+3w"
|
||||||
register: result
|
|
||||||
when: cert_file.stat.exists
|
when: cert_file.stat.exists
|
||||||
|
register: expired_cert
|
||||||
|
|
||||||
- name: Determine whether the certificate should be regenerated
|
- name: Determine whether the certificate should be regenerated
|
||||||
set_fact:
|
set_fact:
|
||||||
cert_regen: yes
|
to_regen: "{{ ssl_domains }}"
|
||||||
when: not cert_file.stat.exists or result.expired | bool
|
when: not cert_file.stat.exists or not expired_cert.valid_at.now
|
||||||
|
|
||||||
- name: Configure nginx for ACME
|
- name: Configure nginx for ACME
|
||||||
template:
|
template:
|
||||||
src: nginx_bare.conf.j2
|
src: nginx_bare.conf.j2
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/nginx.conf
|
||||||
when: cert_regen is defined
|
when: to_regen is defined
|
||||||
|
|
||||||
- name: Restart nginx service
|
- name: Restart nginx service
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
state: restarted
|
state: restarted
|
||||||
enabled: yes
|
enabled: yes
|
||||||
when: cert_regen is defined
|
when: to_regen is defined
|
||||||
|
|
||||||
- name: Create ACME account
|
- name: Create ACME account
|
||||||
community.crypto.acme_account:
|
community.crypto.acme_account:
|
||||||
account_key_src: /etc/ssl-acme/account/account.key
|
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
|
||||||
state: present
|
state: present
|
||||||
allow_creation: yes
|
allow_creation: yes
|
||||||
contact:
|
contact:
|
||||||
@ -86,66 +80,65 @@
|
|||||||
acme_directory: "{{ acme_dir }}"
|
acme_directory: "{{ acme_dir }}"
|
||||||
terms_agreed: 1
|
terms_agreed: 1
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
external_account_binding: {alg: "{{ acme_eab_alg }}", key: "{{ acme_eab_key }}", kid: "{{ acme_eab_kid }}"}
|
external_account_binding: "{{ (acme_eab.key != '') | ternary(acme_eab, omit) }}"
|
||||||
register: account
|
register: account
|
||||||
when: cert_regen is defined
|
when: to_regen is defined
|
||||||
|
|
||||||
- name: Generate ACME CSR
|
- name: Generate ACME CSR
|
||||||
community.crypto.openssl_csr:
|
community.crypto.openssl_csr:
|
||||||
path: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
path: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
|
||||||
common_name: "{{ domain }}"
|
subject_alt_name: "{{ to_regen | map('regex_replace', '^', 'DNS:') | join(',') }}"
|
||||||
subject_alt_name: "DNS:{{ domain }}"
|
privatekey_path: "/etc/ssl-acme/keys/{{ key_name }}.key"
|
||||||
privatekey_path: "/etc/ssl-acme/keys/{{ domain }}.key"
|
when: to_regen is defined
|
||||||
when: cert_regen is defined
|
|
||||||
|
|
||||||
- name: Retrieve ACME challenge
|
- name: Retrieve ACME challenge
|
||||||
community.crypto.acme_certificate:
|
community.crypto.acme_certificate:
|
||||||
acme_directory: "{{ acme_dir }}"
|
acme_directory: "{{ acme_dir }}"
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
account_key_src: /etc/ssl-acme/account/account.key
|
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
|
||||||
account_uri: "{{ account.account_uri }}"
|
account_uri: "{{ account.account_uri }}"
|
||||||
account_email: "{{ acme_email }}"
|
account_email: "{{ acme_email }}"
|
||||||
terms_agreed: 1
|
terms_agreed: 1
|
||||||
challenge: http-01
|
challenge: http-01
|
||||||
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
csr: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
|
||||||
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
dest: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
|
||||||
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
|
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ cert_name }}.crt"
|
||||||
remaining_days: 91
|
remaining_days: 91
|
||||||
register: acme_challenge
|
register: acme_challenge
|
||||||
when: cert_regen is defined
|
when: to_regen is defined
|
||||||
|
|
||||||
- name: Create ACME challenge directory
|
- name: Create ACME challenge directory
|
||||||
file:
|
file:
|
||||||
path: "{{ webroot }}/.well-known/acme-challenge"
|
path: "{{ webroot }}/{{ item }}/.well-known/acme-challenge"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0755
|
||||||
when: cert_regen is defined
|
with_items: "{{ to_regen }}"
|
||||||
|
when: to_regen is defined
|
||||||
|
|
||||||
- name: Add ACME challenge files
|
- name: Add ACME challenge files
|
||||||
copy:
|
copy:
|
||||||
content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
|
content: "{{ item.value['http-01']['resource_value'] }}"
|
||||||
dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
|
dest: "{{ webroot }}/{{ item.key }}/{{ item.value['http-01']['resource'] }}"
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 644
|
mode: 644
|
||||||
with_items:
|
with_items: "{{ acme_challenge['challenge_data'] | dict2items }}"
|
||||||
- "{{ domain }}"
|
when: to_regen is defined
|
||||||
when: cert_regen is defined
|
|
||||||
|
|
||||||
- name: Complete ACME challenge
|
- name: Complete ACME challenge
|
||||||
community.crypto.acme_certificate:
|
community.crypto.acme_certificate:
|
||||||
acme_directory: "{{ acme_dir }}"
|
acme_directory: "{{ acme_dir }}"
|
||||||
acme_version: 2
|
acme_version: 2
|
||||||
account_key_src: /etc/ssl-acme/account/account.key
|
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
|
||||||
account_email: "{{ acme_email }}"
|
account_email: "{{ acme_email }}"
|
||||||
account_uri: "{{ account.account_uri }}"
|
account_uri: "{{ account.account_uri }}"
|
||||||
challenge: http-01
|
challenge: http-01
|
||||||
terms_agreed: 1
|
terms_agreed: 1
|
||||||
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
csr: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
|
||||||
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
dest: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
|
||||||
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
|
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ cert_name }}.crt"
|
||||||
chain_dest: "/etc/ssl-acme/certs/chain_{{ domain }}.crt"
|
chain_dest: "/etc/ssl-acme/certs/chain_{{ cert_name }}.crt"
|
||||||
data: "{{ acme_challenge }}"
|
data: "{{ acme_challenge }}"
|
||||||
when: cert_regen is defined
|
when: to_regen is defined
|
||||||
|
@ -6,12 +6,14 @@ events {
|
|||||||
}
|
}
|
||||||
|
|
||||||
http {
|
http {
|
||||||
|
{% for item in to_regen %}
|
||||||
server {
|
server {
|
||||||
listen 80;
|
listen 80;
|
||||||
server_name {{ domain }};
|
server_name {{ item }};
|
||||||
root {{ webroot }}/;
|
root {{ webroot }}/{{ item }};
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
{% endfor %}
|
||||||
}
|
}
|
||||||
|
@ -3,6 +3,12 @@
|
|||||||
name: coturn
|
name: coturn
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Add turnserver to SSL read group
|
||||||
|
user:
|
||||||
|
name: "turnserver"
|
||||||
|
append: yes
|
||||||
|
groups: sslr
|
||||||
|
|
||||||
- name: Get public IP address
|
- name: Get public IP address
|
||||||
community.general.ipify_facts:
|
community.general.ipify_facts:
|
||||||
|
|
||||||
|
@ -1,7 +1,7 @@
|
|||||||
use-auth-secret
|
use-auth-secret
|
||||||
static-auth-secret={{ coturn_secret_key }}
|
static-auth-secret={{ coturn_secret_key }}
|
||||||
|
|
||||||
realm={{ domain }}
|
realm={{ service_info.coturn.domain }}
|
||||||
server-name=turnserver
|
server-name=turnserver
|
||||||
|
|
||||||
syslog
|
syslog
|
||||||
@ -34,8 +34,8 @@ user-quota=12
|
|||||||
total-quota=1200
|
total-quota=1200
|
||||||
|
|
||||||
# TLS
|
# TLS
|
||||||
cert=/etc/ssl-acme/certs/fullchain_{{ domain }}.crt
|
cert=/etc/ssl-acme/certs/fullchain_{{ service_info.coturn.ssl_cert }}.crt
|
||||||
pkey=/etc/ssl-acme/keys/{{ domain }}.key
|
pkey=/etc/ssl-acme/keys/{{ service_info.coturn.ssl_cert }}.key
|
||||||
|
|
||||||
# External IP address (automatically managed: do not edit!)
|
# External IP address (automatically managed: do not edit!)
|
||||||
external-ip={{ ansible_facts.ipify_public_ip }}
|
external-ip={{ ansible_facts.ipify_public_ip }}
|
||||||
|
@ -267,8 +267,8 @@ FILE_EXTENSIONS = .md,.markdown,.mdown,.mkd
|
|||||||
[server]
|
[server]
|
||||||
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
|
; The protocol the server listens on. One of 'http', 'https', 'unix' or 'fcgi'.
|
||||||
PROTOCOL = http
|
PROTOCOL = http
|
||||||
DOMAIN = {{ domain }}
|
DOMAIN = {{ server_blocks.gitea.domain }}
|
||||||
ROOT_URL = http://{{ domain }}/git/
|
ROOT_URL = http://{{ server_blocks.gitea.domain }}{{ nginx_services.gitea.path }}
|
||||||
; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
|
; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
|
||||||
STATIC_URL_PREFIX =
|
STATIC_URL_PREFIX =
|
||||||
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
|
; The address to listen on. Either a IPv4/IPv6 address or the path to a unix socket.
|
||||||
|
@ -1,2 +1,2 @@
|
|||||||
MusicFolder = "{{ dataroot }}/navidrome/mus/"
|
MusicFolder = "{{ dataroot }}/navidrome/mus/"
|
||||||
BaseUrl = "/mus"
|
BaseUrl = "{{ nginx_services.navidrome.path }}"
|
||||||
|
@ -42,7 +42,7 @@ modules:
|
|||||||
# lowercase and may contain an explicit port.
|
# lowercase and may contain an explicit port.
|
||||||
# Examples: matrix.org, localhost:8080
|
# Examples: matrix.org, localhost:8080
|
||||||
#
|
#
|
||||||
server_name: "{{ domain }}"
|
server_name: "{{ server_blocks.synapse.domain }}"
|
||||||
|
|
||||||
# When running as a daemon, the file to store the pid in
|
# When running as a daemon, the file to store the pid in
|
||||||
#
|
#
|
||||||
@ -1059,7 +1059,7 @@ url_preview_accept_language:
|
|||||||
|
|
||||||
# The public URIs of the TURN server to give to clients
|
# The public URIs of the TURN server to give to clients
|
||||||
#
|
#
|
||||||
turn_uris: [ "turn:{{ domain }}?transport=udp", "turn:{{ domain }}?transport=tcp" ]
|
turn_uris: [ "turn:{{ service_info.coturn.domain }}?transport=udp", "turn:{{ service_info.coturn.domain }}?transport=tcp" ]
|
||||||
|
|
||||||
# The shared secret used to compute passwords for the TURN server
|
# The shared secret used to compute passwords for the TURN server
|
||||||
#
|
#
|
||||||
|
@ -3,12 +3,30 @@
|
|||||||
name: nginx
|
name: nginx
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
|
- name: Create nginx conf.d directory
|
||||||
|
file:
|
||||||
|
path: /etc/nginx/conf.d
|
||||||
|
state: directory
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
template:
|
template:
|
||||||
src: nginx.conf.j2
|
src: nginx.conf.j2
|
||||||
dest: /etc/nginx/nginx.conf
|
dest: /etc/nginx/nginx.conf
|
||||||
notify: Restart webserver
|
notify: Restart webserver
|
||||||
|
|
||||||
|
- name: Create nginx SSL configuration file
|
||||||
|
template:
|
||||||
|
src: ssl.conf.j2
|
||||||
|
dest: /etc/nginx/ssl.conf
|
||||||
|
notify: Restart webserver
|
||||||
|
|
||||||
|
- name: Create nginx server blocks
|
||||||
|
template:
|
||||||
|
src: server_block.j2
|
||||||
|
dest: "/etc/nginx/conf.d/{{ item }}.conf"
|
||||||
|
with_items: "{{ server_blocks }}"
|
||||||
|
notify: Restart webserver
|
||||||
|
|
||||||
- name: Enable nginx service
|
- name: Enable nginx service
|
||||||
service:
|
service:
|
||||||
name: nginx
|
name: nginx
|
||||||
|
@ -1,95 +1,33 @@
|
|||||||
|
user http;
|
||||||
worker_processes 1;
|
worker_processes 1;
|
||||||
|
|
||||||
events {
|
events {
|
||||||
worker_connections 1024;
|
worker_connections 1024;
|
||||||
}
|
}
|
||||||
|
|
||||||
http { include mime.types;
|
http {
|
||||||
|
include mime.types;
|
||||||
disable_symlinks off;
|
|
||||||
|
|
||||||
default_type application/octet-stream;
|
default_type application/octet-stream;
|
||||||
|
|
||||||
sendfile on;
|
sendfile on;
|
||||||
|
tcp_nodelay on;
|
||||||
|
tcp_nopush on;
|
||||||
keepalive_timeout 65;
|
keepalive_timeout 65;
|
||||||
types_hash_max_size 4096;
|
types_hash_max_size 4096;
|
||||||
root {{ webroot }}/;
|
|
||||||
|
access_log /var/log/nginx/access.log;
|
||||||
|
error_log /var/log/nginx/error.log warn;
|
||||||
|
|
||||||
|
gzip on;
|
||||||
|
gzip_disable "msie6";
|
||||||
|
|
||||||
|
include /etc/nginx/conf.d/*.conf;
|
||||||
|
|
||||||
server {
|
server {
|
||||||
if ($host = {{ domain }}) {
|
listen 80 default_server;
|
||||||
|
|
||||||
|
server_name _;
|
||||||
|
|
||||||
return 301 https://$host$request_uri;
|
return 301 https://$host$request_uri;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
server {
|
|
||||||
|
|
||||||
ssl_certificate /etc/ssl-acme/certs/fullchain_{{ domain }}.crt;
|
|
||||||
ssl_certificate_key /etc/ssl-acme/keys/{{ domain }}.key;
|
|
||||||
|
|
||||||
ssl_session_cache shared:SSL:1m;
|
|
||||||
ssl_session_timeout 5m;
|
|
||||||
|
|
||||||
ssl_ciphers HIGH:!aNULL:!MD5;
|
|
||||||
ssl_prefer_server_ciphers on;
|
|
||||||
|
|
||||||
listen 443 ssl http2;
|
|
||||||
listen [::]:443 ssl http2;
|
|
||||||
|
|
||||||
listen 8448 ssl http2 default_server;
|
|
||||||
listen [::]:8448 ssl http2 default_server;
|
|
||||||
|
|
||||||
server_name {{ domain }};
|
|
||||||
|
|
||||||
location ~* ^(\/_matrix|\/_synapse\/client) {
|
|
||||||
proxy_pass http://localhost:8008;
|
|
||||||
proxy_set_header X-Forwarded-For $remote_addr;
|
|
||||||
proxy_set_header X-Forwarded-Proto $scheme;
|
|
||||||
proxy_set_header Host $host;
|
|
||||||
|
|
||||||
client_max_body_size 50M;
|
|
||||||
}
|
|
||||||
|
|
||||||
location = / {
|
|
||||||
return 301 https://{{ domain }}/site/index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /site {
|
|
||||||
index index.html;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /wiki {
|
|
||||||
index index.php;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /rw {
|
|
||||||
index index.php;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /git/ {
|
|
||||||
proxy_pass http://localhost:3000/ ;
|
|
||||||
}
|
|
||||||
|
|
||||||
location /mus/ {
|
|
||||||
proxy_pass http://localhost:4533/mus/ ;
|
|
||||||
}
|
|
||||||
|
|
||||||
location ~ \.php$ {
|
|
||||||
# 404
|
|
||||||
try_files $fastcgi_script_name =404;
|
|
||||||
|
|
||||||
# default fastcgi_params
|
|
||||||
include fastcgi_params;
|
|
||||||
|
|
||||||
# fastcgi settings
|
|
||||||
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
|
||||||
fastcgi_index index.php;
|
|
||||||
fastcgi_buffers 8 16k;
|
|
||||||
fastcgi_buffer_size 32k;
|
|
||||||
|
|
||||||
# fastcgi params
|
|
||||||
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
|
||||||
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
|
||||||
#fastcgi_param PHP_ADMIN_VALUE "open_basedir=$base/:/usr/lib/php/:/tmp/";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
16
roles/services/webserver/templates/server_block.j2
Normal file
16
roles/services/webserver/templates/server_block.j2
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
server {
|
||||||
|
ssl_certificate /etc/ssl-acme/certs/fullchain_{{ server_blocks[item].ssl_cert }}.crt;
|
||||||
|
ssl_certificate_key /etc/ssl-acme/keys/{{ server_blocks[item].ssl_cert }}.key;
|
||||||
|
|
||||||
|
include ssl.conf;
|
||||||
|
|
||||||
|
server_name {{ server_blocks[item].domain }};
|
||||||
|
|
||||||
|
{% for listener in server_blocks[item].listens %}
|
||||||
|
listen {{ listener }};
|
||||||
|
{% endfor %}
|
||||||
|
|
||||||
|
{% for srv in server_blocks[item].services %}
|
||||||
|
{% include "srv_conf/" + srv + ".conf.j2" %}
|
||||||
|
{% endfor %}
|
||||||
|
}
|
@ -0,0 +1,3 @@
|
|||||||
|
location {{ nginx_services[srv].path }} {
|
||||||
|
proxy_pass http://localhost:3000{{ nginx_services[srv].path }} ;
|
||||||
|
}
|
@ -0,0 +1,3 @@
|
|||||||
|
location {{ nginx_services[srv].path }} {
|
||||||
|
proxy_pass http://localhost:4533{{ nginx_services[srv].path }} ;
|
||||||
|
}
|
@ -0,0 +1 @@
|
|||||||
|
return 301 https://www.{{ domain }}$request_uri;
|
@ -0,0 +1,8 @@
|
|||||||
|
location ~* ^(\/_matrix|\/_synapse\/client) {
|
||||||
|
proxy_pass http://localhost:8008;
|
||||||
|
proxy_set_header X-Forwarded-For $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
|
||||||
|
client_max_body_size {{ nginx_services[srv].max_body_size }};
|
||||||
|
}
|
@ -0,0 +1,4 @@
|
|||||||
|
location {{ nginx_services[srv].path }} {
|
||||||
|
root {{ webroot }}/{{ server_blocks.website.domain }}{{ nginx_services[srv].path }};
|
||||||
|
index index.html;
|
||||||
|
}
|
17
roles/services/webserver/templates/srv_conf/wiki.conf.j2
Normal file
17
roles/services/webserver/templates/srv_conf/wiki.conf.j2
Normal file
@ -0,0 +1,17 @@
|
|||||||
|
location {{ nginx_services[srv].path }} {
|
||||||
|
index index.php;
|
||||||
|
}
|
||||||
|
|
||||||
|
location ~ \.php$ {
|
||||||
|
try_files $fastcgi_script_name = 404;
|
||||||
|
|
||||||
|
include fastcgi_params;
|
||||||
|
|
||||||
|
fastcgi_pass unix:/run/php-fpm/php-fpm.sock;
|
||||||
|
fastcgi_index index.php;
|
||||||
|
fastcgi_buffers 8 16k;
|
||||||
|
fastcgi_buffer_size 32k;
|
||||||
|
|
||||||
|
fastcgi_param DOCUMENT_ROOT $realpath_root;
|
||||||
|
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
|
||||||
|
}
|
7
roles/services/webserver/templates/ssl.conf.j2
Normal file
7
roles/services/webserver/templates/ssl.conf.j2
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
# General SSL settings
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:1m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
|
||||||
|
ssl_ciphers HIGH:!aNULL:!MD5;
|
||||||
|
ssl_prefer_server_ciphers on;
|
@ -1,3 +1,11 @@
|
|||||||
|
- name: Set site path
|
||||||
|
set_fact:
|
||||||
|
path: "{{ server_blocks.website.domain }}{{ nginx_services.website.path }}"
|
||||||
|
|
||||||
|
- name: Set full root
|
||||||
|
set_fact:
|
||||||
|
fullroot: "{{ webroot }}/{{ path }}"
|
||||||
|
|
||||||
- name: Install required packages
|
- name: Install required packages
|
||||||
community.general.pacman:
|
community.general.pacman:
|
||||||
name:
|
name:
|
||||||
@ -25,13 +33,13 @@
|
|||||||
file:
|
file:
|
||||||
group: http
|
group: http
|
||||||
owner: http
|
owner: http
|
||||||
path: "{{ webroot }}/site/"
|
path: "{{ fullroot }}"
|
||||||
state: directory
|
state: directory
|
||||||
register: site_folder
|
register: site_folder
|
||||||
|
|
||||||
- name: Deploy source to web root
|
- name: Deploy source to web root
|
||||||
shell:
|
shell:
|
||||||
cmd: "./ssg6 src {{ webroot }}/site/ 'dogeystamp' 'https://{{ domain }}/site'"
|
cmd: "./ssg6 src {{ fullroot }} '{{ web_name }}' 'https://{{ path }}'"
|
||||||
chdir: /srv/web_source
|
chdir: /srv/web_source
|
||||||
when: site_source.changed or site_folder.changed or site_perm.changed
|
when: site_source.changed or site_folder.changed or site_perm.changed
|
||||||
become_user: http
|
become_user: http
|
||||||
@ -42,4 +50,4 @@
|
|||||||
name: "Update and deploy website source"
|
name: "Update and deploy website source"
|
||||||
minute: 0
|
minute: 0
|
||||||
hour: "*/12"
|
hour: "*/12"
|
||||||
job: "git -C /srv/web_source/ pull && /srv/web_source/ssg6 /srv/web_source/src {{ webroot }}/site/ '{{ web_name }}' 'https://{{ domain }}/site'"
|
job: "git -C /srv/web_source/ pull && /srv/web_source/ssg6 /srv/web_source/src {{ fullroot }} '{{ web_name }}' 'https://{{ path }}'"
|
||||||
|
@ -9,23 +9,32 @@
|
|||||||
|
|
||||||
state: present
|
state: present
|
||||||
|
|
||||||
- name: Symlink wikis into web root
|
- name: Set wiki root
|
||||||
|
set_fact:
|
||||||
|
wiki_root: "{{ webroot }}/{{ server_blocks.wiki.domain }}{{ nginx_services.wiki.path }}"
|
||||||
|
|
||||||
|
- name: Create wiki web root
|
||||||
|
file:
|
||||||
|
path: "{{ wiki_root }}"
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Symlink wikis into wiki web root
|
||||||
file:
|
file:
|
||||||
src: /usr/share/webapps/mediawiki
|
src: /usr/share/webapps/mediawiki
|
||||||
dest: "{{ webroot }}/{{ item }}"
|
dest: "{{ wiki_root }}/{{ item }}"
|
||||||
state: link
|
state: link
|
||||||
with_items: "{{ wiki_names }}"
|
with_items: "{{ wiki_names }}"
|
||||||
|
|
||||||
- name: Deploy wiki-farm main configuration file
|
- name: Deploy wiki-farm main configuration file
|
||||||
template:
|
template:
|
||||||
src: LocalSettings.php.j2
|
src: LocalSettings.php.j2
|
||||||
dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings.php"
|
dest: "{{ wiki_root }}/{{ wiki_names[0] }}/LocalSettings.php"
|
||||||
mode: u=rwx,g=r,o=r
|
mode: u=rwx,g=r,o=r
|
||||||
|
|
||||||
- name: Deploy configuration files for individual wikis
|
- name: Deploy configuration files for individual wikis
|
||||||
template:
|
template:
|
||||||
src: "LocalSettings_{{ item.1 }}.php.j2"
|
src: "LocalSettings_{{ item.1 }}.php.j2"
|
||||||
dest: "{{ webroot }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php"
|
dest: "{{ wiki_root }}/{{ wiki_names[0] }}/LocalSettings_{{ item.1 }}.php"
|
||||||
with_indexed_items: "{{ wiki_names }}"
|
with_indexed_items: "{{ wiki_names }}"
|
||||||
|
|
||||||
- name: Ensure correct permissions on data
|
- name: Ensure correct permissions on data
|
||||||
@ -37,7 +46,7 @@
|
|||||||
- name: Copy wiki logo files
|
- name: Copy wiki logo files
|
||||||
copy:
|
copy:
|
||||||
src: "{{ item }}"
|
src: "{{ item }}"
|
||||||
dest: "{{ webroot }}/{{ wiki_names[0] }}/resources/assets/"
|
dest: "{{ wiki_root }}/{{ wiki_names[0] }}/resources/assets/"
|
||||||
with_fileglob:
|
with_fileglob:
|
||||||
- logos/*.png
|
- logos/*.png
|
||||||
|
|
||||||
|
36
run.yml
36
run.yml
@ -65,11 +65,47 @@
|
|||||||
- mail
|
- mail
|
||||||
when: enable_mail
|
when: enable_mail
|
||||||
|
|
||||||
|
# Main SSL certificate (with Let's Encrypt)
|
||||||
- role: networking/ssl
|
- role: networking/ssl
|
||||||
tags:
|
tags:
|
||||||
- ssl
|
- ssl
|
||||||
|
acme_dir: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
cert_name: "{{ domain }}"
|
||||||
|
ssl_domains:
|
||||||
|
- "{{ server_blocks.wiki.domain }}"
|
||||||
|
- "{{ server_blocks.synapse.domain }}"
|
||||||
|
- "{{ server_blocks.website.domain }}"
|
||||||
|
- "{{ server_blocks.gitea.domain }}"
|
||||||
|
- "{{ server_blocks.navidrome.domain }}"
|
||||||
|
account_name: "letsencrypt"
|
||||||
when: enable_ssl
|
when: enable_ssl
|
||||||
|
|
||||||
|
# SSL cert for dyndns_domain
|
||||||
|
- role: networking/ssl
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
acme_dir: "https://acme-v02.api.letsencrypt.org/directory"
|
||||||
|
ssl_domains:
|
||||||
|
- "{{ dyndns_domain }}"
|
||||||
|
account_name: "letsencrypt"
|
||||||
|
when: enable_ssl and dyndns_domain != domain
|
||||||
|
|
||||||
|
# ZeroSSL certificate for Coturn (see https://bugs.chromium.org/p/webrtc/issues/detail?id=11710)
|
||||||
|
- role: networking/ssl
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
acme_dir: "https://acme.zerossl.com/v2/DV90"
|
||||||
|
ssl_domains:
|
||||||
|
- "{{ service_info.coturn.domain }}"
|
||||||
|
acme_eab: {
|
||||||
|
alg: HS256,
|
||||||
|
key: "{{ zerossl_acme_eab_key }}",
|
||||||
|
kid: "{{ zerossl_acme_eab_kid }}"
|
||||||
|
}
|
||||||
|
acme_email: "{{ zerossl_email }}"
|
||||||
|
account_name: "zerossl"
|
||||||
|
when: enable_ssl and enable_coturn
|
||||||
|
|
||||||
- role: services/webserver
|
- role: services/webserver
|
||||||
tags:
|
tags:
|
||||||
- webserver
|
- webserver
|
||||||
|
Reference in New Issue
Block a user