diff options
| author | Elizabeth Hunt <elizabeth.hunt@simponic.xyz> | 2024-01-05 16:13:01 -0500 |
|---|---|---|
| committer | Elizabeth Hunt <elizabeth.hunt@simponic.xyz> | 2024-01-05 16:13:01 -0500 |
| commit | fb0b3914086484d9284426985984e2c1699ba557 (patch) | |
| tree | 963a2288a3b33f389972a78efaf3b6462bbe1925 /roles/private/tasks/main.yml | |
| parent | b62d5f559b81556a1dd6197c72a0c43ba1744477 (diff) | |
| download | oldinfra-fb0b3914086484d9284426985984e2c1699ba557.tar.gz oldinfra-fb0b3914086484d9284426985984e2c1699ba557.zip | |
ldap, internal CA, internal webserver, dns, etc.
Diffstat (limited to 'roles/private/tasks/main.yml')
| -rw-r--r-- | roles/private/tasks/main.yml | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/roles/private/tasks/main.yml b/roles/private/tasks/main.yml new file mode 100644 index 0000000..5c4eb7e --- /dev/null +++ b/roles/private/tasks/main.yml @@ -0,0 +1,95 @@ +--- +- name: allow http from vpn + ufw: + rule: allow + port: '80' + proto: tcp + from: 100.64.0.0/10 + +- name: allow https from vpn + ufw: + rule: allow + port: '443' + proto: tcp + from: 100.64.0.0/10 + +- name: restart ufw + service: name=ufw state=restarted enabled=yes + +- name: install letsencrypt + apt: name=letsencrypt state=latest + +- name: create letsencrypt directory + file: name=/var/www/letsencrypt state=directory + +- name: install nginx + apt: name=nginx state=latest + +- name: remove default nginx + file: name=/etc/nginx/sites-enabled/default state=absent + +- name: generate dhparams + shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + args: + creates: /etc/nginx/dhparams.pem + +- name: add system nginx config + template: + src: ../files/nginx.conf + dest: /etc/nginx/nginx.conf + +- name: copy http nginx configuration for each domain + copy: + src: "{{ item }}" + dest: "/etc/nginx/sites-enabled/" + with_fileglob: + - "files/{{ inventory_hostname }}/http.*.conf" + +- name: restart nginx to get letsencrypt certificate + service: name=nginx state=restarted enabled=yes + +- name: find deployed domains + ansible.builtin.find: + paths: "/etc/nginx/sites-enabled/" + patterns: "http.*.conf" + register: nginx_conf_files + delegate_to: "{{ inventory_hostname }}" + +- name: extract domains from deployed nginx configurations + shell: | + grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}" + loop: "{{ nginx_conf_files.files }}" + register: extracted_domains + +# crt is given from the "ca" role to all hosts; that needs to run first +- name: request letsencrypt certificate + shell: > + REQUESTS_CA_BUNDLE="/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt" \ + letsencrypt certonly -n -d {{ item.stdout }} \ + --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory \ + --webroot -w /var/www/letsencrypt \ + --agree-tos --email {{ step_acme_cert_contact }} + args: + creates: "/etc/letsencrypt/live/{{ item.stdout }}" + loop: "{{ extracted_domains.results }}" + when: item.stdout != "" + +- name: copy https nginx configuration for each domain + copy: + src: "{{ item }}" + dest: "/etc/nginx/sites-enabled/" + with_fileglob: + - "files/{{ inventory_hostname }}/https.*.conf" + +- name: reload nginx to activate sites + service: name=nginx state=restarted + +- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits + cron: + name: "letsencrypt_renewal_{{ item.stdout }}" + day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}" + hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}" + minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}" + job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload" + loop: "{{ extracted_domains.results }}" + when: item.stdout != "" |