Determine wildcard cert paths and tidy nginx role

This commit is contained in:
Kris Lamoureux 2022-05-23 22:33:17 -04:00
parent 9a4aece442
commit 209ff57a4a
Signed by: kris
GPG Key ID: 3EDA9C3441EDA925
5 changed files with 31 additions and 17 deletions

View File

@ -8,6 +8,7 @@ manage_network: false
proxy: proxy:
#production: true #production: true
dns_cloudflare: dns_cloudflare:
opts: --test-cert
#email: realemail@example.com #email: realemail@example.com
#api_token: CLOUDFLARE_DNS01_API_TOKEN #api_token: CLOUDFLARE_DNS01_API_TOKEN
wildcard_domains: wildcard_domains:
@ -15,14 +16,8 @@ proxy:
servers: servers:
- domain: "{{ bitwarden_domain }}" - domain: "{{ bitwarden_domain }}"
proxy_pass: "http://127.0.0.1:8080" proxy_pass: "http://127.0.0.1:8080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
- domain: "{{ gitea_domain }}" - domain: "{{ gitea_domain }}"
proxy_pass: "http://127.0.0.1:3080" proxy_pass: "http://127.0.0.1:3080"
tls:
cert: /etc/letsencrypt/live/{{ base_domain }}/fullchain.pem
key: /etc/letsencrypt/live/{{ base_domain }}/privkey.pem
# docker # docker
docker_users: docker_users:

View File

@ -20,10 +20,20 @@
- name: Install nginx sites configuration - name: Install nginx sites configuration
template: template:
src: server-nginx.conf.j2 src: server-nginx.conf.j2
dest: "/etc/nginx/conf.d/{{ item.domain }}.conf" dest: "/etc/nginx/sites-available/{{ item.domain }}.conf"
mode: '0644' mode: '0644'
loop: "{{ proxy.servers }}" loop: "{{ proxy.servers }}"
notify: reload_nginx notify: reload_nginx
register: nginx_sites
- name: Enable nginx sites configuration
file:
src: "/etc/nginx/sites-available/{{ item.item.domain }}.conf"
dest: "/etc/nginx/sites-enabled/{{ item.item.domain }}.conf"
state: link
loop: "{{ nginx_sites.results }}"
when: item.changed
notify: reload_nginx
- name: Generate self-signed certificate - name: Generate self-signed certificate
shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \ shell: 'openssl req -newkey rsa:4096 -x509 -sha256 -days 3650 -nodes \
@ -32,21 +42,21 @@
-out /etc/ssl/certs/nginx-selfsigned.crt' -out /etc/ssl/certs/nginx-selfsigned.crt'
args: args:
creates: /etc/ssl/certs/nginx-selfsigned.crt creates: /etc/ssl/certs/nginx-selfsigned.crt
when: not proxy.production when: proxy.production is not defined or not proxy.production
notify: reload_nginx notify: reload_nginx
- name: Install LE's certbot - name: Install LE's certbot
apt: apt:
name: ['certbot', 'python3-certbot-dns-cloudflare'] name: ['certbot', 'python3-certbot-dns-cloudflare']
state: present state: present
when: proxy.production when: proxy.production is defined and proxy.production
- name: Install Cloudflare API token - name: Install Cloudflare API token
template: template:
src: cloudflare.ini.j2 src: cloudflare.ini.j2
dest: /root/.cloudflare.ini dest: /root/.cloudflare.ini
mode: '0600' mode: '0600'
when: proxy.production and proxy.dns_cloudflare is defined when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
- name: Create nginx post renewal hook directory - name: Create nginx post renewal hook directory
file: file:
@ -55,10 +65,10 @@
- name: Install nginx post renewal hook - name: Install nginx post renewal hook
copy: copy:
src: restart-nginx.sh src: reload-nginx.sh
dest: /etc/letsencrypt/renewal-hooks/post/nginx.sh dest: /etc/letsencrypt/renewal-hooks/post/reload-nginx.sh
mode: '0755' mode: '0755'
when: proxy.production when: proxy.production is defined and proxy.production
- name: Run Cloudflare DNS-01 challenges on wildcard domains - name: Run Cloudflare DNS-01 challenges on wildcard domains
shell: '/usr/bin/certbot certonly \ shell: '/usr/bin/certbot certonly \
@ -67,9 +77,9 @@
--email "{{ proxy.dns_cloudflare.email }}" \ --email "{{ proxy.dns_cloudflare.email }}" \
--dns-cloudflare \ --dns-cloudflare \
--dns-cloudflare-credentials /root/.cloudflare.ini \ --dns-cloudflare-credentials /root/.cloudflare.ini \
-d "*.{{ item }}"' -d "*.{{ item }}" {{ proxy.dns_cloudflare.opts | default("") }}'
args: args:
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem" creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
loop: "{{ proxy.dns_cloudflare.wildcard_domains }}" loop: "{{ proxy.dns_cloudflare.wildcard_domains }}"
when: proxy.production and proxy.dns_cloudflare is defined when: proxy.production is defined and proxy.production and proxy.dns_cloudflare is defined
notify: reload_nginx notify: reload_nginx

View File

@ -22,4 +22,5 @@ http {
server_names_hash_bucket_size 128; server_names_hash_bucket_size 128;
include /etc/nginx/conf.d/*.conf; include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
} }

View File

@ -2,10 +2,18 @@ server {
listen 443 ssl; listen 443 ssl;
server_name {{ item.domain }}; server_name {{ item.domain }};
access_log /var/log/nginx/{{ item.domain }}.log main; access_log /var/log/nginx/{{ item.domain }}.log main;
{% if proxy.production and item.tls.cert is not defined %} {% if proxy.production is defined and proxy.production and proxy.dns_cloudflare.wildcard_domains is defined and item.tls.cert is not defined %}
{% for wildcard in proxy.dns_cloudflare.wildcard_domains %}
{% set domain_regex = '^\*\.' + wildcard + '$' %}
{% if item.domain | regex_search(wildcard) %}
ssl_certificate /etc/letsencrypt/live/{{ wildcard }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ wildcard }}/privkey.pem;
{% endif %}
{% endfor %}
{% elif proxy.production is defined and proxy.production and item.tls.cert is not defined %}
ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem; ssl_certificate /etc/letsencrypt/live/{{ item.domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem; ssl_certificate_key /etc/letsencrypt/live/{{ item.domain }}/privkey.pem;
{% elif proxy.production and item.tls.cert is defined %} {% elif proxy.production is defined and proxy.production and item.tls.cert is defined %}
ssl_certificate {{ item.tls.cert }}; ssl_certificate {{ item.tls.cert }};
ssl_certificate_key {{ item.tls.key }}; ssl_certificate_key {{ item.tls.key }};
{% else %} {% else %}