Determine wildcard cert paths and tidy nginx role

2022-05-23 22:33:17 -04:00 · 2022-05-23 22:33:17 -04:00 · 209ff57a4a
commit 209ff57a4a
parent 9a4aece442
5 changed files with 31 additions and 17 deletions
--- a/dev/host_vars/proxy.yml
+++ b/dev/host_vars/proxy.yml
@ -8,6 +8,7 @@ manage_network: false
 proxy:
  #production: true
  dns_cloudflare:
+    opts: --test-cert
    #email: realemail@example.com
    #api_token: CLOUDFLARE_DNS01_API_TOKEN
    wildcard_domains:
@ -15,14 +16,8 @@ proxy:
  servers:
    - domain: "{{ bitwarden_domain }}"
      proxy_pass: "http://127.0.0.1:8080"
-      tls:
-        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
-        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
    - domain: "{{ gitea_domain }}"
      proxy_pass: "http://127.0.0.1:3080"
-      tls:
-        cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
-        key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem

 # docker
 docker_users:
--- a/roles/proxy/files/restart-nginx.sh
+++ b/roles/proxy/files/restart-nginx.sh
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@ -20,10 +20,20 @@
 - name: Install nginx sites configuration
  template:
    src: server-nginx.conf.j2
-    dest: "/etc/nginx/conf.d/{{ item.domain }}.conf"
+    dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
    mode: '0644'
  loop: "{{ proxy.servers }}"
  notify: reload_nginx
+  register: nginx_sites
+
+- name: Enable nginx sites configuration
+  file:
+    src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
+    state: link
+  loop: "{{ nginx_sites.results }}"
+  when: item.changed
+  notify: reload_nginx

 - name: Generate self-signed certificate
  shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
@ -32,21 +42,21 @@
          -out    /etc/ssl/certs/nginx-selfsigned.crt'
  args:
    creates: /etc/ssl/certs/nginx-selfsigned.crt
-  when: not proxy.production
+  when: proxy.production is not defined or not proxy.production
  notify: reload_nginx

 - name: Install LE's certbot
  apt:
    name: ['certbot', 'python3-certbot-dns-cloudflare']
    state: present
-  when: proxy.production
+  when: proxy.production is defined and proxy.production

 - name: Install Cloudflare API token
  template:
    src: cloudflare.ini.j2
    dest: /root/.cloudflare.ini
    mode: '0600'
-  when: proxy.production and proxy.dns_cloudflare is defined
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined

 - name: Create nginx post renewal hook directory
  file:
@ -55,10 +65,10 @@

 - name: Install nginx post renewal hook
  copy:
-    src: restart-nginx.sh
-    dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh
+    src: reload-nginx.sh
+    dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
    mode: '0755'
-  when: proxy.production
+  when: proxy.production is defined and proxy.production

 - name: Run Cloudflare DNS-01 challenges on wildcard domains
  shell: '/usr/bin/certbot certonly \
@ -67,9 +77,9 @@
            --email "{{ proxy.dns_cloudflare.email }}" \
            --dns-cloudflare \
            --dns-cloudflare-credentials /root/.cloudflare.ini \
-            -d "*.{{ item }}"'
+            -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
  args:
    creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
  loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
-  when: proxy.production and proxy.dns_cloudflare is defined
+  when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
  notify: reload_nginx
--- a/roles/proxy/templates/nginx.conf.j2
+++ b/roles/proxy/templates/nginx.conf.j2
@ -22,4 +22,5 @@ http {
  server_names_hash_bucket_size 128;

  include           /etc/nginx/conf.d/*.conf;
+  include           /etc/nginx/sites-enabled/*;
 }
--- a/roles/proxy/templates/server-nginx.conf.j2
+++ b/roles/proxy/templates/server-nginx.conf.j2
@ -2,10 +2,18 @@ server {
  listen              443 ssl;
  server_name         {{ item.domain }};
  access_log          /var/log/nginx/{{ item.domain }}.log main;
-{% if proxy.production and item.tls.cert is not defined %}
+{% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
+{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
+{% set domain_regex = '^\*\.' + wildcard + '$' %}
+{% if item.domain | regex_search(wildcard) %}
+  ssl_certificate     /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
+{% endif %}
+{% endfor %}
+{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
  ssl_certificate     /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
-{% elif proxy.production and item.tls.cert is defined %}
+{% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
  ssl_certificate     {{ item.tls.cert }};
  ssl_certificate_key {{ item.tls.key }};
 {% else %}