hatecomputers.club stuff

author: Elizabeth Hunt <elizabeth.hunt@simponic.xyz> 2024-04-11 17:18:35 -0400
committer: Elizabeth Hunt <elizabeth.hunt@simponic.xyz> 2024-04-11 17:18:35 -0400
commit: 64a2990c536b8a436279db9c576e75c6c1782546 (patch)
tree: 38865c297094d8a930fd7ee1ede97ac4ebe9fd79 /roles
parent: d740b6ab3347c66742e37ff72dfb4cfe30558781 (diff)
download: oldinfra-64a2990c536b8a436279db9c576e75c6c1782546.tar.gz
oldinfra-64a2990c536b8a436279db9c576e75c6c1782546.zip
4 files changed, 87 insertions, 2 deletions
diff --git a/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf
new file mode 100644
index 0000000..a58af01
--- /dev/null
+++ b/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf
@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name simponic.hatecomputers.club;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://simponic.hatecomputers.club$request_uri? permanent;
+  }
+}
diff --git a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
new file mode 100644
index 0000000..a59145b
--- /dev/null
+++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf
@@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  server_name simponic.hatecomputers.club;
+
+  ssl_certificate         /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/simponic.hatecomputers.club/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  root /var/www/html/static.simponic.xyz;
+
+  location / {
+    try_files $uri $uri/ $uri.html =404;
+  }
+}
diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml
index fccd34e..1eb53b0 100644
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@@ -62,14 +62,43 @@
   loop: "{{ nginx_conf_files.files }}"
   register: extracted_domains
 
-- name: request letsencrypt certificate
+# simponic.xyz
+- name: request simponic letsencrypt certificates
   shell: >
     letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
       --agree-tos -d {{ item.stdout }}
   args:
     creates: "/etc/letsencrypt/live/{{ item.stdout }}"
   loop: "{{ extracted_domains.results }}"
-  when: item.stdout != ""
+  when: '"simponic.xyz" in item.stdout'
+
+# hatecomputers.club
+- name: build plugin template
+  template:
+    src: ../templates/plugin.sh.j2
+    dest: /etc/letsencrypt/hcdns.sh
+    mode: 0744
+    owner: root
+    group: root
+
+- name: clone hcdns auth repo
+  ansible.builtin.git:
+    repo: https://git.hatecomputers.club/simponic/hc-cert-dns
+    dest: /root/hc-cert-dns
+
+- name: request hatecomputers letsencrypt certificate
+  shell: >
+    letsencrypt certonly -n \
+      --manual --manual-auth-hook /etc/letsencrypt/hcdns.sh \
+      --preferred-challenges dns \
+      -d {{ item.stdout }} \
+      --email {{ letsencrypt_email }} \
+      --agree-tos \
+      --no-eff-email
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.stdout }}"
+  loop: "{{ extracted_domains.results }}"
+  when: '"hatecomputers.club" in item.stdout'
 
 - name: copy https nginx configuration for each domain
   copy:
diff --git a/roles/webservers/templates/plugin.sh.j2 b/roles/webservers/templates/plugin.sh.j2
new file mode 100644
index 0000000..796f078
--- /dev/null
+++ b/roles/webservers/templates/plugin.sh.j2
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+unset REQUESTS_CA_BUNDLE
+
+API_KEY_FILE=$(mktemp)
+echo "{{ hatecomputers_api_key }}" >> $API_KEY_FILE
+
+ENDPOINT=https://hatecomputers.club
+PUBLIC_SUFFIXES=.hatecomputers.club
+
+/root/hc-cert-dns/main.py --certbot \
+          --public-suffixes=$PUBLIC_SUFFIXES \
+          --certbot-domain=$CERTBOT_DOMAIN \
+          --certbot-validation=$CERTBOT_VALIDATION \
+          --endpoint=$ENDPOINT \
+          --api-key-file=$API_KEY_FILE
+
+rm $API_KEY_FILE
author	Elizabeth Hunt <elizabeth.hunt@simponic.xyz>	2024-04-11 17:18:35 -0400
committer	Elizabeth Hunt <elizabeth.hunt@simponic.xyz>	2024-04-11 17:18:35 -0400
commit	64a2990c536b8a436279db9c576e75c6c1782546 (patch)
tree	38865c297094d8a930fd7ee1ede97ac4ebe9fd79 /roles
parent	d740b6ab3347c66742e37ff72dfb4cfe30558781 (diff)
download	oldinfra-64a2990c536b8a436279db9c576e75c6c1782546.tar.gz oldinfra-64a2990c536b8a436279db9c576e75c6c1782546.zip