diff options
| -rw-r--r-- | group_vars/webservers.yml | 3 | ||||
| -rw-r--r-- | roles/webservers/files/levi/http.simponic.hatecomputers.club.conf | 13 | ||||
| -rw-r--r-- | roles/webservers/files/levi/https.simponic.hatecomputers.club.conf | 25 | ||||
| -rw-r--r-- | roles/webservers/tasks/main.yml | 33 | ||||
| -rw-r--r-- | roles/webservers/templates/plugin.sh.j2 | 18 |
5 files changed, 89 insertions, 3 deletions
diff --git a/group_vars/webservers.yml b/group_vars/webservers.yml index 6ac1436..2eb1ac3 100644 --- a/group_vars/webservers.yml +++ b/group_vars/webservers.yml @@ -1,2 +1,3 @@ --- -letsencrypt_email: 'elizabeth.hunt@simponic.xyz' +letsencrypt_email: 'elizabeth@simponic.xyz' +hatecomputers_api_key: "{{ lookup('env', 'HATECOMPUTERS_API_KEY') }}" diff --git a/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf new file mode 100644 index 0000000..a58af01 --- /dev/null +++ b/roles/webservers/files/levi/http.simponic.hatecomputers.club.conf @@ -0,0 +1,13 @@ +server { + listen 80; + server_name simponic.hatecomputers.club; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://simponic.hatecomputers.club$request_uri? permanent; + } +} diff --git a/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf new file mode 100644 index 0000000..a59145b --- /dev/null +++ b/roles/webservers/files/levi/https.simponic.hatecomputers.club.conf @@ -0,0 +1,25 @@ +server { + listen 443 ssl; + server_name simponic.hatecomputers.club; + + ssl_certificate /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/simponic.hatecomputers.club/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/simponic.hatecomputers.club/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + root /var/www/html/static.simponic.xyz; + + location / { + try_files $uri $uri/ $uri.html =404; + } +} diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index fccd34e..1eb53b0 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -62,14 +62,43 @@ loop: "{{ nginx_conf_files.files }}" register: extracted_domains -- name: request letsencrypt certificate +# simponic.xyz +- name: request simponic letsencrypt certificates shell: > letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \ --agree-tos -d {{ item.stdout }} args: creates: "/etc/letsencrypt/live/{{ item.stdout }}" loop: "{{ extracted_domains.results }}" - when: item.stdout != "" + when: '"simponic.xyz" in item.stdout' + +# hatecomputers.club +- name: build plugin template + template: + src: ../templates/plugin.sh.j2 + dest: /etc/letsencrypt/hcdns.sh + mode: 0744 + owner: root + group: root + +- name: clone hcdns auth repo + ansible.builtin.git: + repo: https://git.hatecomputers.club/simponic/hc-cert-dns + dest: /root/hc-cert-dns + +- name: request hatecomputers letsencrypt certificate + shell: > + letsencrypt certonly -n \ + --manual --manual-auth-hook /etc/letsencrypt/hcdns.sh \ + --preferred-challenges dns \ + -d {{ item.stdout }} \ + --email {{ letsencrypt_email }} \ + --agree-tos \ + --no-eff-email + args: + creates: "/etc/letsencrypt/live/{{ item.stdout }}" + loop: "{{ extracted_domains.results }}" + when: '"hatecomputers.club" in item.stdout' - name: copy https nginx configuration for each domain copy: diff --git a/roles/webservers/templates/plugin.sh.j2 b/roles/webservers/templates/plugin.sh.j2 new file mode 100644 index 0000000..796f078 --- /dev/null +++ b/roles/webservers/templates/plugin.sh.j2 @@ -0,0 +1,18 @@ +#!/bin/bash + +unset REQUESTS_CA_BUNDLE + +API_KEY_FILE=$(mktemp) +echo "{{ hatecomputers_api_key }}" >> $API_KEY_FILE + +ENDPOINT=https://hatecomputers.club +PUBLIC_SUFFIXES=.hatecomputers.club + +/root/hc-cert-dns/main.py --certbot \ + --public-suffixes=$PUBLIC_SUFFIXES \ + --certbot-domain=$CERTBOT_DOMAIN \ + --certbot-validation=$CERTBOT_VALIDATION \ + --endpoint=$ENDPOINT \ + --api-key-file=$API_KEY_FILE + +rm $API_KEY_FILE |